What's in a Program?

What is a bug bounty program?

A BBP is a call for help from an organization, reaching out to security researchers worldwide. The organization lays out the scope and terms of the program, fundamentally allowing security researchers to probe their systems and software in exchange for a financial reward.

If researchers find a vulnerability in an application, they can submit it and, if the organization finds the submission acceptable, receive a bounty as a reward.

What is a valid submission?

It is worth noting that there is no general definition of what makes a submission acceptable, as each program has different rules and terms for valid submissions. For example, Google has a program named “Google Vulnerability Reward Program (VRP) Rules” which states valid reports could include:

• Cross-site scripting
• Cross-site request forgery
• Mixed-content scripts
• Authentication or authorization flaws
• Server-side code execution bugs

While it unequivocally states exclusions, which are alleged vulnerabilities that do not qualify as valid submissions, meaning researchers will be turned down when submitting them. Some examples include vulnerabilities in *.bc.googleusercontent.com or *.appspot.com as well as flaws affecting the users of out-of-date browsers and plugins.

Google goes beyond simply listing the exclusions, as it also provides the reasoning behind their choice. For example, vulnerabilities in *.bc.googleusercontent.com are excluded because, “these domains are used to host applications that belong to Google Cloud customers. The Vulnerability Reward Program does not authorize the testing of Google Cloud customer applications. Google Cloud customers can authorize the penetration testing of their own applications, but testing of these domains is not within the scope of or authorized by the Vulnerability Reward Program.”