Today I thought it would be interesting to our Crowd members to take a look at private bounty program invitations. With both public and private bounty programs and tens of thousands security researchers, how does Bugcrowd choose who to invite to a private program? Is there a secret handshake? A password to a private clubhouse? Do I roll the dice?
Nope. Turns out, it has everything to do with your performance and activity, and the technical skills needed for the customer targets. For example, if you've submitted valid vulnerabilities in mobile applications, chances are you'll get invitations to private mobile app bounty programs. Other criteria we currently use to determine who to invite:
How is your acceptance rate? Invitations to private programs are reserved for Crowd members who consistently submit valid findings; at least 50% of their submissions are valid (accepted) in the last 90 days. We balance the individuals invited to ensure the overall average acceptance rate of the Crowd on private bounties has a 70% minimum acceptance rate (NOTE: this is not the same as accuracy - more to come on this).
Valid vulnerability submissions are rated on a priority scale of P1 (Critical) to P5 (Best Practice / Won't Fix). When selecting a Crowd for a private program, we only invite researchers with an average submission priority score between 1.0 and 3.99 in the last 90 days.
Have you been actively submitting bugs lately? We aim to fill at least 75% of open seats on private programs with researchers who have submitted in the last 90 days. Any remaining invitations are offered to researchers who have submitted bugs in the past and whose lifetime performance meets the Quality and Impact guidelines above.
Last, but far from least, is trust. An invite to a private program means that the program owner trusts you, and if you get that opportunity it's because we've told them that we trust you. How it works is simple... We score researchers based on their track record of staying inside the terms of the bounty brief, which includes following the scope and honoring any non-disclosure requirements.
If you're looking to maximize your private bounty invitation potential you want to submit the most critical issues you can find (if you want to level up your skills here, we've got some tutorial links on the Bugcrowd Forum to get you started) as well as closely review each bounty brief and validate your findings before submitting to minimize Invalid submissions - which lower your acceptance rate.
The decision to launch a public vs private bounty varies based on each customer's goals, but when Private is the right model we've found that adopting this new invitation policy has resulted in
- More researchers are getting opportunities to work on private bounties
- More valid bugs are being submitted with higher average severity and
- Increased average payouts per bug submitted when compared to programs run with our old invitation approach.
Since the start of 2015, we've sent 3,820 private bounty invitations to 806 researchers because of their acceptance rate, impact, and activity. More researchers, more bugs, higher severity, more money. Win.