Bug Bounty Hunting

Private

Invite only, based on track record

Public

Open to all hackers

VDP

Vulnerability Disclosure Program - no rewards, just guidelines

BBP

Bug Bounty Program - rewards for valid findings

Scope

In-scope domains, IPs, apps

Out of Scope

Excluded targets, vuln types

Rules of Engagement

Testing limitations

Rewards

Bounty amounts by severity

Response SLAs

Expected response times

Safe Harbor

Legal protection

Reporting Format

Required info in reports

Title

[VulnType] in [Component] - [Impact]

CWE

Common Weakness Enumeration ID

CVSS

Severity score (use calculator)

Description

What the vuln is, where it exists

POC

Step-by-step reproduction

Impact

Business impact, what attacker can achieve

Remediation

Fix suggestion (optional)

N (Network)

Remotely exploitable

A (Adjacent)

Same network required

L (Local)

Local access required

P (Physical)

Physical access required

L (Low)

No special conditions

H (High)

Special prep/info gathering needed

N (None)

Unauth exploitation

L (Low)

Standard user privs

H (High)

Admin privs needed

N (None)

No user action needed

R (Required)

User must click/visit

U (Unchanged)

Only affects vuln component

C (Changed)

Affects other components

N (None)

No impact

L (Low)

Limited impact

H (High)

Total/serious impact

CWE-79

XSS

CWE-89

SQL Injection

CWE-352

CSRF

CWE-502

Deserialization

CWE-918

SSRF

CWE-22

Path Traversal

CWE-78

OS Command Injection

CWE-287

Improper Authentication

CWE-639

IDOR

CWE-611

XXE

Wait for response

Spam triage team

Tag same team member

Use unofficial channels

Stay professional

Argue over severity

Reference program policy

Demand specific bounty

Use mediation if stuck

Disclose before resolution