Using bounty tiers allows you to set different bounty tables on different scope items:

You can then indicate in the domains section, which bounty tier applies to which part of the scope:

Uses for Bounty Tiers are:

  • Certain scope is more mature than other scope and therefore requires a higher effort from researchers.

  • Certain scope is more important than other scope, e.g. the accounts section of your platform, or the payment module and should be more incentivised for researchers to focus on. So-called "Crown Jewels" should go into Tier 1 and a wildcard domain including all kinds of marketing assets, can go into Tier 3.

  • Certain scope has a higher barrier for researchers, like mobile applications, APIs or on premise applications. Different from web applications, these types targets require a more elaborate setup process and/or specific knowledge from researchers, which again need to be incentivised more.

It is best practice to include all potential attack surface into your program, and bounty tiers give you the option to do that without breaking the bank.

It is common to include a wildcard domain on a Tier 3 domain, where bounties can be set significantly lower.

A common way of working if you're often adding in new scope, is to have scope go from Tier 3 or 2 when it is first added, to Tier 1 when it has reached a certain level of maturity.

On top of the above, it is also possible to include scope as No Bounty domain. This means that you are welcoming findings on these domains, but are not awarding bounties. This will not actively engage researcher on those domains, however this does allow researcher to send in any accidental findings they bump into during their recon sessions, if the scope does not yet award bounties.

If you don't include this scope into the program, it means they would get punished with an Out of scope submission, affecting their Valid ratio, if they would take the time to submit it.

Did this answer your question?