At Bugbounter, trust is our #1 value and we take the
protection of our customers’ and researchers’ data very seriously.
1-You ARE safe with us!
The Bugbounter team acknowledges the needs and concerns of
customers’ security vulnerability testing. As a result, we manage your bug bounty programs
over our platform responsibly by helping you to publish it effectively, monitor it 7/24 and
carefully match the researcher community for the testing of your site, applications and/or
Bugbounter is committed to engaging your bounty with the
most reliable & skilled security researchers and white hat hackers to search, send and
verify any potential vulnerabilities that are operated through the platform over blockchain
ledgers. Any local information upon resolution of the vulnerability report will immediately
2-You NEED to provide a safe
You pledge not to initiate legal action against RESEARCHERS
(vulnerability security researchers & white hat hackers) as with good will for
penetrating or attempting to penetrate your systems as published at the bounties if you
adhere to this policy.
If you acknowledge that researchers follow our guidelines
neither you nor your third-parties will pursue or support any legal action related to your
3-Researchers WILL play the game by the
The following conduct is expressly prohibited while
searching for vulnerabilities:
Performing actions that may negatively affect customers’ or its users’ operation (e.g.
Spam, Brute Force, Denial of Service…)
Copying, saving, transferring, storing data or information that belongs to you
Leaving a backdoor after they've proved a penetration
Destroying or corrupting, or attempting to destroy or corrupt, data or information that
belongs to you (without explicit permission of the owner)
Conducting any kind of physical or electronic attack on customers’ personnel, property
or data centers
Social engineering any customer’s service desk, employee or contractor
Conduct vulnerability testing & attacks to out-of-scope resources
Negotiating the payout amount under threat of withholding the vulnerability or threat of
releasing the vulnerability or any exposed data to the public
Posting the vulnerability information or customer data to the Dark Web where there's a
thriving market for data and remote access
Publicly expose the flaw to embarrass a company, allowing other hackers to exploit the
Violating any laws or breaching any agreements in order to discover vulnerabilities
4-Sympathize researchers IF they make a
Researchers will contact us (and we will contact you)
immediately if they inadvertently encounter your data. You shall not take a legal action for
an inadvertent mistake.
5-Please BE responsive!
We asked researchers not to share or publicize your
verified vulnerability with/to third parties with impatience. Before making any information
about it public you need to agree with the researchers on a reasonable time for a validated
a) Until it is fixed or,
b) Until a timeframe after first submission (defined by Customer) or,
c) Until after giving the organization X days of notice (defined by Researcher) or,
d) Until a mutually agreed deadline
6-You CAN update your bounty at any
Once your bounty is published on our platform you may not
change the reward currency. This is the only restricted parameter in your bounty definition.
All other parameters of the bounty are allowed for an
update after you suspend the bounty. During the suspend period researchers can not view the
bounty. However, any report submitted prior to your suspension will be processed until
resolution within the definitions at the time of submitting. In order to value the work of
researchers, Bugbounter reserves a duration of 24hrs if they had done their research and
about to send a report. Thus they are allowed to send their report within 24hrs even though
the bounty is suspended.
7-You ARE committed to release the
Every validated report entry will be posted on a blockchain
ledger. This is to protect you from making double payments and to manage the objections from
researchers transparently and effectively.
Your bounty will be published on the platform as soon as the full budget amount is
transferred to our account. Your budget will be kept in a reserved account for your
bounty until it is totally utilized, or you choose to suspend the bounty.
As soon as you confirm a validated report, earned reward will be paid to the researcher
and the platform fee will be transferred to Bugbounter.
Validator fees will be transferred to respective validators regardless of a report’s
If your bounty budget decreases to a reserve amount (i.e. possible rewards to be paid
for the submitted reports in progress + validation fees + Bugbounter fees), then
Bugbounter will send you a notification to either increase the budget or decide to end
the bounty. Until you transfer an additional budget, your bounty will be held in suspend
may at any time, choose to end your bounty. In such case, the remaining budget after
resolution of all reports under progress, will be transferred back to you.