{
    "slug": "bug_bounty",
    "term": "Bug Bounty Programme",
    "category": "general",
    "difficulty": "beginner",
    "short": "A programme offering financial rewards to security researchers who responsibly disclose vulnerabilities in a vendor's systems.",
    "long": "Bug bounty programmes crowdsource security testing by incentivising researchers to find and report vulnerabilities rather than sell or exploit them. Programmes define scope (which domains/assets are in scope), reward ranges (scaled by CVSS severity), and safe harbour provisions (legal protection for good-faith research). Platforms include HackerOne, Bugcrowd, and Intigriti. Before running a public programme, ensure basic hygiene (patch known issues, have a functioning SDLC) — a programme that can't process reports creates frustration and reputational risk.",
    "aliases": [
        "bug bounty program",
        "responsible disclosure program",
        "vulnerability reward"
    ],
    "tags": [
        "general",
        "security",
        "community"
    ],
    "misconception": "A bug bounty program replaces internal security testing. Bug bounties complement, not replace, internal security reviews — they provide crowdsourced testing from diverse researchers but should not be the primary mechanism for finding security issues in your own product.",
    "why_it_matters": "Bug bounty programs pay external researchers to find vulnerabilities — they provide a continuous security audit by people with attacker mindsets at a cost far below formal penetration testing engagements.",
    "common_mistakes": [
        "Launching a public bug bounty before fixing known critical vulnerabilities — researchers find them immediately.",
        "Slow or dismissive responses to reports — researchers disengage and may disclose publicly.",
        "Scope that is too narrow — researchers find vulnerabilities out of scope and have no way to report them.",
        "Not triaging and fixing submissions promptly — the vulnerability exists while it awaits review."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "vulnerability_disclosure",
        "penetration_testing",
        "cvss"
    ],
    "prerequisites": [
        "penetration_testing",
        "security_by_design",
        "threat_modelling"
    ],
    "refs": [
        "https://www.hackerone.com/vulnerability-management/what-is-a-bug-bounty-program",
        "https://disclose.io/"
    ],
    "bad_code": "// Bug bounty anti-pattern — no response SLA:\nbugBounty.report({\n  program: 'example.com',\n  vulnerability: 'SQL injection on /api/search',\n  severity: 'Critical',\n  // Response: silence for 6 weeks\n  // Fix: never deployed\n  // Researcher: publishes 90-day disclosure\n})",
    "good_code": "# Bug bounty programme — pay researchers to find vulnerabilities\n\n# Scope definition (what's in/out):\n# In scope:  yourapp.com, api.yourapp.com, app.yourapp.com\n# Out of scope: staging.*, careers.*, third-party providers\n\n# Severity + reward table:\n# Critical (CVSS 9-10): RCE, auth bypass        → £5,000 - £20,000\n# High     (CVSS 7-8.9): SQLi, SSRF, IDOR       → £1,000 - £5,000\n# Medium   (CVSS 4-6.9): XSS, info disclosure   → £100 - £1,000\n# Low      (CVSS 0-3.9): self-XSS, clickjacking → £50 - £100\n\n# Platforms: HackerOne, Bugcrowd, Intigriti\n\n# Safe harbour: researchers acting in good faith won't face legal action\n\n# Before launching: fix known vulns, have a response process, set realistic scope",
    "quick_fix": "Define a clear scope (which domains, which vulnerability types), set realistic reward tiers, and respond to reports within 24 hours — slow response drives researchers to public disclosure",
    "severity": "info",
    "effort": "high",
    "created": "2026-03-15",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/bug_bounty",
        "html_url": "https://codeclaritylab.com/glossary/bug_bounty",
        "json_url": "https://codeclaritylab.com/glossary/bug_bounty.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Bug Bounty Programme](https://codeclaritylab.com/glossary/bug_bounty) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/bug_bounty"
            }
        }
    }
}