Bug Bounty

What is a Bug Bounty?

For some years now, we have been experiencing a remarkable growth of the so-called Bug Bounty, also known as VRP (vulnerability reward program), which are mainly based on rewarding researchers capable of identifying vulnerabilities in organizations, and reporting them following a good code. practices called Responsible Disclosure, to prevent vulnerabilities from being published before they have been fixed.

It is common to find cases where hackers or researchers altruistically report vulnerabilities to organizations, some for the simple fact of making the Internet more secure and others with the aim of gaining fame and recognition, while developing their skills.

It is increasingly common to see how organizations with greater maturity in their security model adopt as part of their vulnerability management processes, network teaming exercises or rewards programs. The immediate benefit of having hundreds of researchers looking for vulnerabilities is the possibility of detecting and correcting a large number of them, at the same time that it shows the awareness and importance that the organization gives to security.

How to organize a Bug Bounty?

Wardsec Proposal

Until not long ago launching a bounty was within the reach of very few, since, in order to carry it out efficiently, it is necessary to have a specialized and 100% dedicated multidisciplinary team. Today we find various online alternatives that make certain infrastructure and their ability to put companies in contact with ethical bounty hunters available to their clients, however, they only act as intermediaries between them without offering any other valuable service.

Wardsec’s proposal To undertake this type of service, it goes towards the integral management of the program in all its phases in such a way that it is integrated in a transparent way as an additional data source in the vulnerability management processes already established in the client and using the same interfaces. (ticketing tools, reporting system, etc.)

Wardsec will put at your disposal a team with different specialization profiles that will be in charge of all the technical and coordination tasks of the program. The team will be “elastic”, in such a way that the number of dedicated analysts will vary depending on the volume of reports received, as well as their technical complexity.

An interlocutor assigned full time will lead the team of analysts, acting as the sole point of contact. They will have knowledge of the organization’s staff, as well as the different departments involved in the resolution, since they will be in charge of coordinating and carrying out follow-up tasks. In any case, the CISO will determine the level of integration with your existing management processes and tools or if you prefer it to be an ad-hoc service.

“Do you want to evolve your vulnerability management? Count on our experience in Bug Bounty management”

Bug Bounty Considerations

The set of rules must be collected and must be accepted by researchers who want to join the Bug Bounty program. Although there are some differences when the program is focused on a product, or when it comes to online services, in this example we will describe the seconds as they are the most common.


Scope and period of validity

Scope restrictions and establish a permanent or long-term program.


Typology of permitted tests

Where denials of service, social engineering and the use of automatic tools that generate excessive network traffic or load on servers are generally ruled out.


Threshold and minimum acceptance criteria

Typology of vulnerabilities are accepted, also specifying if they will be compensated only for vulnerabilities with immediate impact or also “hardening” recommendations.


Reward format

Minimum and maximum financial limits of the award, failing that, specify the type of remuneration in kind and some other method of recognition and gratitude, such as inclusion in the “hall of fame”. Contact instructions. Specifying the medium, required format, as well as the response notifications to be expected in each phase.


Confidentiality and privacy

Researchers will not be able to reveal any information relevant to the vulnerability until it has been fixed.




Dismissing employees and family members of employees, establishing minimum age limits or requiring the consent of parents / legal guardians.


Intellectual property

The researcher will continue to be the intellectual owner of the information sent, however, he will irrevocably and perpetually grant the organization unlimited rights to use the information received.



At the beginning of the program, the indicators necessary for proper monitoring of the program will be defined together with the organization’s security manager, including the distribution and criticality of vulnerabilities on the different assets, technologies and areas of the organization.

Our Bug Bounty management service is aimed both at software manufacturers who want to put their product to the limit and protect their customers, as well as all those organizations, whether public or private, who want to make sure that their infrastructure accessible from the internet is thoroughly analyzed. looking for vulnerabilities.