Legitimate bug bounty programs value ethical practices and provide clear rewards to researchers for identifying security flaws, ensuring timely payments and responsible use of disclosed vulnerabilities.
Signs of a Trustworthy Bug Bounty Program:
Clear Terms and Conditions: Programs that explicitly define which vulnerabilities qualify for rewards and the exact reward amounts.
Transparent Payment Structure: Detailed information on payment timelines, payout methods, and consistent reports of researchers receiving their rewards.
Hits: # of reports of being trustworthy
| Program Name | Issues Reported | Platform | Source | Hits |
|---|---|---|---|---|
| Bentley | Chatty Champs6 Reward Rodeo4 |
Self hosted | Trusted hacker | 2 |
| Telekom | Chatty Champs6 Reward Rodeo4 |
Self hosted | Trusted hacker | 1 |
| Swisscom | Chatty Champs6 Reward Rodeo4 Scope Snoopers7 |
Self hosted | Trusted hacker | 2 |
| Kaseya | Reward Tortoise8 | Self hosted | Trusted hacker | 2 |
| Relativity | Reward Rodeo4 |
Self hosted | Trusted hacker | 1 |
| Paytm | Reward Rodeo4 |
Self hosted | Trusted hacker | 2 |
| Liquidweb | Chatty Champs6 Reward Rodeo4 |
Self hosted | Trusted hacker | 1 |
| Proton | Chatty Champs6 Reward Rodeo4 |
Self hosted | Trusted hacker | 1 |
| Oroinc | Chatty Champs6 Reward Rodeo4 |
Self hosted | Trusted hacker | 1 |
| AnimalFriends | Reward Tortoise8 | Self hosted | Trusted hacker | 2 |
- 1Transparent Scope: They clearly define in-scope and out-of-scope areas in their program brief before you submit a report.
- 2Accessible rewards: They pay rewards without requiring a difficult-to-obtain account on their site.
- 3Bounty Clarity: It’s clear whether they pay bounties, with transparent guidelines on payouts.
- 4Reward Rodeo: They agree to pay a bounty and always follow through, responding to follow-up emails promptly.
- 5No fix, no issue: Bug is triaged as CVSS 0 or no impact, and it’s not fixed since it was correctly identified as non-impactful.
- 6Chatty Champs: They run a responsive program, they reply to researchers quickly, usually within 1 month or less.
- 7Scope Snoopers: They maintain a well-organized and regularly updated list of in-scope and out-of-scope assets, ensuring that all researchers have clear guidance on which targets are eligible for bug submissions.
- 8Reward Tortoise: Patience is key for researchers, as they can expect their rewards to arrive eventually, even if it takes a much longer than anticipated. BUT THEY PAY!