Bugcrowd Blog

How to Earn Your Way Onto a Private Bounty Program

Posted by Abby Mulligan on Nov 10, 2017 9:05:00 AM

We are consistently asked “How Do I Earn Private Program Invitations?”
Hands down, this is our most commonly asked question from members of our Crowd, so we want to take this opportunity to reemphasize the most important information to keep an eye on if you’re looking to get invited to a private program.

Since 2015, we have consistently used the following performance and activity markers (+ any required technical skills!) to choose our program participants. The criteria we continue to use to determine invites:

Quality:
How is your acceptance rate? Invitations to private programs are reserved for Crowd members who consistently submit valid findings; at least 50% of their submissions are valid (accepted) in the last 90 days.

Impact: 
Valid vulnerability submissions are rated on a priority scale of P1 (Critical) to P5 (Best Practice / Won't Fix). When selecting a Crowd for a private program, we invite researchers with an average submission priority score between 1.0 and 3.99 in the last 90 days.

Activity:
Have you been actively submitting bugs lately? The majority of private program invitations are issued to researchers who have submitted in the last 90 days. Any remaining invitations are then offered to researchers whose lifetime performance meets the Quality and Impact guidelines above and who satisfy any needed technical skillset.

(+1 to Skills):
A growing number of programs require specific skill sets in order for Researchers to be successful at finding impactful vulnerabilities, such as Mobile, IoT and Reverse Engineering. To ensure we capture all the competencies our amazing Crowd is skilled in, we provide multiple opportunities for our Crowd to indicate their skills and compare that to their previous success on similar programs. Ie: if you've submitted valid vulnerabilities in previous mobile applications, chances are you'll get invitations to private mobile app bounty programs!

Trust:
Last, but far from least, is trust. An invite to a private program means that the program owner trusts you, and if you get that opportunity it's because we trust you. How it works is simple: We score Researchers based on their track record of staying inside the terms of the bounty brief, which includes following the scope and honoring any non-disclosure requirements.

Not sure how your stats measure against our criteria? You can easily find this information in your personal Researcher Dashboard, just by looking at the Performance Stats and selecting the “Last 90 days” option from the timeline.

Looking to maximize your private bounty invitation potential? Always consider the following:


Please note: We have also tidied up verbiage on the Researcher Dashboard slightly to ensure that the “Looking for more programs?” tooltip is in alignment with the above text, in order to prevent future confusion!.

Researcher Resources
Abby Mulligan

Written by Abby Mulligan

Boston native, Patriots fan, Director of Operations at Bugcrowd.