The Rating of Bug Bounty Programs

Hi Bug Bounty Community,

Some factors to keep in mind that we tried to assess the quality of bug bounty programs. I think, this article will provide insight into improving their new ideas for the companies and the researchers.

For now, it consists of 7 items as follows. Each item has 10 points and bug bounty programs must score 70 points for taking an A+ grade.


Bug Bounty


1 - The quick response time for all the bug reports from the companies. Please, will not provide feedback after 1 years. The best time is 10 days.

2 - The vulnerabilities should fix quickly. The best time is 30 days.

3 - The firms should have HOF(hall of fame) page on their web page.

I've got an interesting example about this matter. it's easy to start a simple bug bounty program for your company. You know, some of the people who have contributed to the website in a "humans.txt" file.

Example url: salyangoz.me/humans.txt

4 - The companies should give a bounty or swag kit to researchers.

5 - The researchers may need additional information for their bug reports from the internal security team.

6 - The companies should have the detailed scope information of the bug bounty programs on their web page.

7 - The companies' security teams must have an email address.

For example: [email protected]

Project Link!

EOF Evren/Mert