Importance of Bounty Tables
It's important for programs to create and publish bounty tables on their security page as it fosters:
- Hacker Engagement
- Faster Workload Management
Bounty tables set a level of expectation for hackers in regards to how much they’ll be paid out for a vulnerability. It protects the “Bug Bounty Brand” and mitigates risk for your program, allowing you to reap the rewards of Bug Bounty efforts. Otherwise, if bounty expectations are misaligned, it’ll spark hacker frustration, debate, negotiation, and in some cases, public outbursts that lead to mediation and an increase in hacker disengagement and workload on your teams.
For example, programs that don’t have a bounty table state that they provide bounties ranging from $1000 - $3000 for a critical vulnerability. This sets the expectation that a hacker may get $1000, $2000 or even $3000! In reality however, whatever the hacker will get paid is dependent upon the severity of the vulnerability, which can be an objective international standard (see CVSS Classification) or a unique calculation based on the risk appetite of a business and how they define impact severity. If the expectation for how much a vulnerability is worth isn’t clear, it’s easy for hackers to get disappointed and upset.
Having a visible bounty table as well as having a clear policy page, friendly language, clear engagement rules, and benefits are some of the simple methods you can use to break down walls and start building a trusting relationship. Bug bounty programs benefit from transparency by building trust between you and your hackers.
A clear bounty structure is something hackers call out when looking for programs to participate in. They want to know that they'll be rewarded fairly if they spend their time and effort helping a program. Programs with clear rewards structures tend to generate more positive engagement.
Having a defined amount per severity award means your teams can make faster decisions instead of having to worry about how to calculate fair awards. It also prevents hackers from negotiating for higher awards and having back and forth messages requesting for more understanding in regards to why they were paid out with the amount they were given.