CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Bug Bounty Programme

general Beginner
debt(d7/e5/b5/t5)
d7 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'only careful code review or runtime testing' (d7). The detection_hints list HackerOne, Bugcrowd, and Intigriti — these are programme management platforms, not automated code scanners. The absence of a security.txt file or responsible disclosure policy can be spotted by a manual audit or a specialist HTTP probe, but there is no default linter that flags 'you have no bug bounty programme.' The gap is invisible in CI/CD and only surfaces when a researcher has nowhere to report, or when a vulnerability is publicly disclosed without a channel — a late operational signal.

e5 Effort Remediation debt — work required to fix once spotted

Closest to 'touches multiple files / significant refactor in one component' (e5). The quick_fix describes defining scope, setting reward tiers, and committing to 24-hour response SLAs. This is not a one-line patch: it requires publishing a policy document (security.txt, programme page), internal triage workflows, legal review of scope, and budget allocation. Common mistakes (scope too narrow, slow triage, launching before known issues are fixed) each require their own remediation steps across teams, making this a multi-component organisational effort rather than a simple code change.

b5 Burden Structural debt — long-term weight of choosing wrong

Closest to 'persistent productivity tax' (b5). A bug bounty programme applies to web and API contexts and imposes ongoing operational load: triaging incoming reports, coordinating fixes, managing researcher communications, and maintaining scope documents. It affects security, engineering, and legal teams continuously. It does not define the entire system's shape (b9) nor is it a single localised component (b3) — it is a cross-team, ongoing commitment that slows multiple work streams if managed poorly.

t5 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'notable trap — a documented gotcha most devs eventually learn' (t5). The misconception field directly states the canonical wrong belief: that a bug bounty replaces internal security testing. This is a well-documented pitfall that organisations routinely fall into — launching a public programme prematurely (before fixing known criticals) and treating it as a substitute for internal reviews. It is a recognised industry gotcha rather than a catastrophic or architecture-level misunderstanding.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-06 · reviewed by human

Also Known As

bug bounty program responsible disclosure program vulnerability reward

TL;DR

A programme offering financial rewards to security researchers who responsibly disclose vulnerabilities in a vendor's systems.

Explanation

Bug bounty programmes crowdsource security testing by incentivising researchers to find and report vulnerabilities rather than sell or exploit them. Programmes define scope (which domains/assets are in scope), reward ranges (scaled by CVSS severity), and safe harbour provisions (legal protection for good-faith research). Platforms include HackerOne, Bugcrowd, and Intigriti. Before running a public programme, ensure basic hygiene (patch known issues, have a functioning SDLC) — a programme that can't process reports creates frustration and reputational risk.

Common Misconception

A bug bounty program replaces internal security testing. Bug bounties complement, not replace, internal security reviews — they provide crowdsourced testing from diverse researchers but should not be the primary mechanism for finding security issues in your own product.

Why It Matters

Bug bounty programs pay external researchers to find vulnerabilities — they provide a continuous security audit by people with attacker mindsets at a cost far below formal penetration testing engagements.

Common Mistakes

  • Launching a public bug bounty before fixing known critical vulnerabilities — researchers find them immediately.
  • Slow or dismissive responses to reports — researchers disengage and may disclose publicly.
  • Scope that is too narrow — researchers find vulnerabilities out of scope and have no way to report them.
  • Not triaging and fixing submissions promptly — the vulnerability exists while it awaits review.

Code Examples

✗ Vulnerable 
// Bug bounty anti-pattern — no response SLA:
bugBounty.report({
  program: 'example.com',
  vulnerability: 'SQL injection on /api/search',
  severity: 'Critical',
  // Response: silence for 6 weeks
  // Fix: never deployed
  // Researcher: publishes 90-day disclosure
})
✓ Fixed 
# Bug bounty programme — pay researchers to find vulnerabilities

# Scope definition (what's in/out):
# In scope:  yourapp.com, api.yourapp.com, app.yourapp.com
# Out of scope: staging.*, careers.*, third-party providers

# Severity + reward table:
# Critical (CVSS 9-10): RCE, auth bypass        → £5,000 - £20,000
# High     (CVSS 7-8.9): SQLi, SSRF, IDOR       → £1,000 - £5,000
# Medium   (CVSS 4-6.9): XSS, info disclosure   → £100 - £1,000
# Low      (CVSS 0-3.9): self-XSS, clickjacking → £50 - £100

# Platforms: HackerOne, Bugcrowd, Intigriti

# Safe harbour: researchers acting in good faith won't face legal action

# Before launching: fix known vulns, have a response process, set realistic scope
Added 15 Mar 2026
Edited 22 Mar 2026
Views 26

Curated in Warsaw under one editorial standard. 1,445 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 2 pings F 0 pings S 1 ping S 1 ping M 0 pings T 0 pings W 2 pings T 0 pings F 3 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S
Agents 0
No pings yet today
No pings yesterday
Amazonbot 7 Ahrefs 6 Google 2 Perplexity 2 Unknown AI 2 ChatGPT 2
Also referenced
Responsible Vulnerability Disclosure 68 CVSS 23 Penetration Testing 19
How they use it
crawler 19 crawler_json 2
Related categories
security 4.2k general 1.5k
DEV INTEL Tools & Severity
🔵 Info ⚙ Fix effort: High
⚡ Quick Fix
Define a clear scope (which domains, which vulnerability types), set realistic reward tiers, and respond to reports within 24 hours — slow response drives researchers to public disclosure
📦 Applies To
any web api
🔗 Prerequisites
🔍 Detection Hints
No security.txt file at /.well-known/security.txt; no responsible disclosure policy; no contact for security researchers
Auto-detectable: ✗ No hackerone bugcrowd intigriti
⚠ Related Problems
🤖 AI Agent
Confidence: Low False Positives: High ✗ Manual fix Fix: High Context: File
✓ schema.org compliant