The bounty table defines how researchers are rewarded for accpeted submissions in your program. By configuring your bounty table competitively and consistently, you set expectations, encourage high-quality findings, and align researcher incentives with your security priorities and available budget.

You can manage your program bounties by opening your program and going to Details. Find the Bounty section and click Edit. From there, you can choose between three different bounty setups, depending on how you want to reward researchers: no bounties, fixed bounties, or ranged bounties.

Selecting No bounties means your program does not offer monetary rewards for valid findings. In this configuration, the program is treated as a Vulnerability Disclosure Program (VDP).
​

The program page will not display a bounty table, and submissions, regardless of severity or CVSS score, will not result in a bounty payout. Researchers are, however, still rewarded with reputation points.
​

If you choose to financially reward a researcher in exceptional cases, you can do so by awarding a bonus.

Fixed bounties reward researchers with a predefined amount based on the severity of the submission. For each severity level and tier, you configure a single value. Any CVSS score that falls within the severity range leads to the same bounty amount.
​

Ranged bounties reward researchers based on the CVSS score within the severity range of a submission. For each tier and severity, you define a minimum and maximum bounty value. When a CVSS score is available, the platform calculates the bounty proportionally within the configured range. Since decimal bounties are not supported, the final amount is always rounded up to the next whole number in favor of the researcher.

Ranged bounties provide more granularity and allow you to better reflect the exact impact of a vulnerability.

The submission has a CVSS score of 6.0, which falls within the Medium severity range of 4.0 to 6.9.
​

Using a Tier 2 Medium bounty range of $500 to $1,000, the possible bounty is calculated proportionally within the range based on the CVSS score, using the following formula: (($1,000 − $500) / (6.9 − 4.0)) × (6.0 − 4.0) + $500 = $844.83.

Because the platform does not support decimal bounties, the calculated amount is rounded up in favor of the researcher, resulting in a final bounty of $845.

Your bounty table is structured around tiers and severities. You can configure up to five tiers and assign a tier to each asset in scope from the program assets section. This allows you to differentiate rewards based on the importance, maturity, and complexity of the systems you want researchers to test.
​
Bounty tiers help you prioritize researcher focus. Higher tiers naturally attract more attention and effort, which makes them well suited for your most valuable or technically complex assets. Lower tiers can be used for newer systems, lower-risk components, or assets that require initial coverage before being promoted to higher reward levels.

Each tier includes five fixed severity levels mapped to CVSS ranges:

This tiered approach gives researchers clear guidance on where to focus their efforts and what level of reward they can expect for valid findings.

The No Bounty tier allows you to include assets in scope without offering a financial reward. Assets assigned to this tier can still receive submissions, but accepted findings do not result in a bounty payout.

Using the No Bounty tier means that researchers can report vulnerabilities on these assets without being penalized or marked as out of scope. This is especially useful for accidental discoveries or areas where you want visibility without committing budget.

By explicitly marking these assets as No Bounty instead of excluding them from scope, you encourage responsible reporting while preserving researcher validity metrics and maintaining a positive researcher experience.