What's in a Program?

In this lesson, we'll study what a bug bounty program looks like.

What is a bug bounty program?

A BBP is a call for help from an organization, reaching out to security researchers worldwide. The organization lays out the scope and terms of the program, fundamentally allowing security researchers to probe their systems and software in exchange for a financial reward.

If researchers find a vulnerability in an application, they can submit it and, if the organization finds the submission acceptable, receive a bounty as a reward.

What is a valid submission?

It is worth noting that there is no general definition of what makes a submission acceptable, as each program has different rules and terms for valid submissions. For example, Google has a program named “Google Vulnerability Reward Program (VRP) Rules” which states valid reports could include:

  • Cross-site scripting
  • Cross-site request forgery
  • Mixed-content scripts
  • Authentication or authorization flaws
...