This feature is designed to streamline your workflow by allowing you to set custom bounty amounts that align with your internal calculation methods and policies, considering more factors than just a submission's severity or CVSS score.
Since our community is accustomed to receiving rewards based on severity or CVSS scores, we highly recommend explaining your custom calculation methods or policies. Include this information in the Reward Policy section under the Bounties area of your program to ensure clarity and transparency.
✉️ This functionality is part of our Premium and Custom offerings. For more information, please contact your Customer Success Manager.
Setting a custom bounty
If you are a Program Admin or Editor, you can set a custom bounty when accepting a submission. Before finalizing acceptance, you’ll have the option to override the suggested bounty amount—calculated based on severity and CVSS score—with a custom amount ranging from 0 to 500,000. This allows you to align bounties with your internal methods and policies.
When setting a custom bounty, you can include a message for the researcher. This is a great opportunity to explain how the bounty was determined. You can:
Write a personalized message, or
Use a standardized template that refers to the Reward Policy section of your program.
Providing this information helps build trust and ensures transparency with researchers.
You can easily track all bounty modifications in the submission activities, PDF export, and via the external API.
Modifying a custom bounty
You can adjust a custom bounty, just like any other bounty, by changing the submission status to "Pending," as long as the payout has not yet been processed.
💡Note: Once a custom bounty has been set, changing the severity or CVSS score will no longer automatically update the bounty amount, as it has already been manually adjusted.