Researcher Frequently Asked Questions
If you can’t find what you’re looking for, Contact Us.
How do I get started on Bugcrowd?
Welcome and thanks for your interest in joining our researcher community! Here is a quick checklist to help you get started:
1. CREATE A BUGCROWD RESEARCHER ACCOUNT
Before you can report bugs and be rewarded for your findings, you need to create a Bugcrowd account. Your Bugcrowd account also comes with a profile which can be made public (or private), enabling you to show-off your skills and accomplishments to security peers and industry professionals.
2. PICK A BUG BOUNTY (OR SEVERAL!)
Bugcrowd has many public programs that you can hack on and find security vulnerabilities in, with many of them paying out cash as rewards. Each bounty page has all of the details you need to start testing, including a list of targets, finding types that are in-scope and out of scope (or excluded) from the bounty, and many programs will list the pay rewards that they pay out.
3. BEGIN TESTING
If you’re new to bug bounties you may be interested in reading some guides and articles from our researcher community. If you have any questions or need help, join the Bugcrowd Forum and post your question.
4. REPORT A BUG
Once you’ve found a security vulnerability in a bounty program, click the “Report Bug” button on the bounty program page.
After you’ve reported a bug you will receive a response from Bugcrowd or the customer that is managing the bounty program. If you don’t receive a response within several days, please email us at support@bugcrowd.com and we will help you out.
5. FILL OUT YOUR PROFILE
Make sure to fill out your profile information to tell the community a bit more about yourself. Many people use this page to show off their skills, as well as link to their personal websites & twitter accounts.
6. SAY HELLO
The Bugcrowd community team is here to make sure your bounty hunting experience is an awesome one. Whether you need help, have ideas or just want to say hello, we’ll get back to you as soon as we can.
- Tweet us at @Bugcrowd
- IRC at irc.freenode.com in the #bugcrowd channel.
- Join the Bugcrowd community forum
- Have a question for Bugcrowd staff? Email support@bugcrowd.com
How do I pick a bug bounty (or several!)
Bugcrowd has many public Bug Bounties that you can hack on and find security vulnerabilities in, with many of them paying out cash as rewards. Each bounty page has all of the details you need to start testing, including a list of targets, finding types that are in-scope and out of scope (or excluded) from the bounty, and many programs will list the pay rewards that they pay out.
How do I begin testing?
If you’re new to bug bounties you may be interested in reading some guides and articles from our researcher community. If you have any questions or need help, join the Bugcrowd Forum and post your question.
How do I report a bug?
Once you’ve found a security vulnerability in a bounty program, click the “Report Bug” button on the bounty program page.
After you’ve reported a bug you will receive a response from Bugcrowd or the customer that is managing the bounty program. If you don’t receive a response within several days, please email us at support@bugcrowd.comand we will help you out.
How do I create my profile?
Make sure to fill out your profile information to tell the community a bit more about yourself. Many people use this page to show off their skills, as well as link to their personal websites & twitter accounts.
Who do I contact for help?
The Bugcrowd community team is here to make sure your bounty hunting experience is an awesome one. Whether you need help, have ideas or just want to say hello, we’ll get back to you as soon as we can.
Have a question about a bug bounty program or your submission?
Email support@bugcrowd.com
How and when do I get paid?
Valid and accepted bugs submitted to a paid bounty program will result in a payment to your account. After your bug is accepted by the program owner, your reward will be paid out the following Wednesday. Note that to be paid on time, you will need to be rewarded by 12:00am PT Wednesday morning in order to guarantee prompt payment.
Bugcrowd currently supports payments via Paypal and Payoneer. Please make sure to add either your Paypal account’s email address or sign up for a new Payoneer account in your Bugcrowd researcher account settings.
Have more questions about getting paid? Reach out to support@bugcrowd.com team for more information.
Why was my submission given a low priority?
Bug submissions that affect singular users, require interaction or significant prerequisites to trigger, non-exploitable weaknesses and “won’t fix” vulnerabilities all will receive a low priority rating.
Learn more about our community-driven Vulnerability Rating Taxonomy here.
Why hasn’t my bug been confirmed yet?
Sometimes there can be delays in the confirmation of bug submissions. Bugcrowd works hard with our customers to speed up the confirmation process. Response time can vary, typically programs that are Bugcrowd Managed (signified by a Bugcrowd “b” logo on the ‘Report Bug’ button) have a faster response time.
If you have submitted a bug to a Bugcrowd Managed program and have been waiting for more than two weeks for your bug confirmation, please send an email to support@bugcrowd.com and make sure to include your Bug Reference ID in your email.
I got my first private program invitation – now what?
Congratulations on receiving an invite to a private program! Invitations are sent out based on researcher performance, so great job on receiving one.
The private invitation email that you received will include the start date and time for the program, the prize pool, number of researchers invited, and the end date and time.
Login to Bugcrowd and go to the Invited Programs page when the private program is going to start. From there you can accept the invitation and begin work on the private program.
How does the leaderboard work?
The Bugcrowd Researcher Leaderboard is updated at the beginning of every month. A researcher’s rank on the leaderboard is based on their total number of kudos points earned over all-time and over the previous month.
Kudos points are rewarded to researchers who submit valid vulnerability reports to programs on Bugcrowd. Read this blog post to learn more about how kudos points are rewarded and calculated.
Am I allowed to publicly disclose the bugs that I find?
All researchers must adhere to the responsible disclosure guidelines that are outlined in the bounty program’s details and rules sections. Bugcrowd’s Disclosure policies apply to all submissions made through the Bugcrowd platform, including Duplicates, Out of Scope, and Not Applicable submissions. Customers may select Nondisclosure, Coordinated Disclosure, or Custom Disclosure policies to be applied to their program brief. Please refer to our docs for details on the different Public Disclosure Policies at Bugcrowd.
Improper disclosure can result in the researcher being removed from a program and can even result in removal from the Bugcrowd platform.
If you have any questions about a program’s disclosure policy or process, please email support@bugcrowd.com and we will be happy to assist you.
How long will it be after the bug I submitted is validated?
You can view a program’s average response time on the program page’s top-right panel. This information can only be viewed when logged-in as a Bugcrowd researcher.
Response time can vary by program, programs that are managed by Bugcrowd typically have a faster response time. Bugcrowd managed programs will have a small Bugcrowd “B” logo on the ‘Report Bug’ button for the program.
How is my acceptance rate calculated?
Acceptance Rate is best explained as a comparison of valid to invalid reports. For those that are interested in the details:
Let X = The count of all your valid and duplicate submissions, including P5 won’t-fix
Let Y = The total count of all your submissions, excluding any marked ‘not applicable’, have not yet been reviewed, or have only been triaged but not confirmed.
Acceptance Rate = (X / Y) * 100
It’s a simple ratio of all of your accepted submissions to date, versus all submissions you’ve ever made. We exclude ‘not applicable’ submissions, which are those that have been marked by us or a customer as having been made in genuine and well-intentioned error. (And obviously we don’t include submissions that haven’t been finalized yet!)
How is my average priority calculated?
Average Priority is the average priority level of bugs that are submitted by a researcher. This is based on our P1-P5 scoring system, a lower average score number is better than a high score.
You can read more about how we measure crowd performance here.
Let’s Get Started With Bugcrowd
Hackers aren’t waiting, so why should you? Contact us today. Or better yet, try Bugcrowd for yourself and see how our Knowledge Security Platform can quickly improve your security posture.