Legitimate bug bounty programs value ethical practices and provide clear rewards to researchers for identifying security flaws, ensuring timely payments and responsible use of disclosed vulnerabilities.

Signs of a Trustworthy Bug Bounty Program:

Clear Terms and Conditions: Programs that explicitly define which vulnerabilities qualify for rewards and the exact reward amounts.

Transparent Payment Structure: Detailed information on payment timelines, payout methods, and consistent reports of researchers receiving their rewards.

Hits: # of reports of being trustworthy

• ¹Transparent Scope: They clearly define in-scope and out-of-scope areas in their program brief before you submit a report.
• ²Accessible rewards: They pay rewards without requiring a difficult-to-obtain account on their site.
• ³Bounty Clarity: It’s clear whether they pay bounties, with transparent guidelines on payouts.
• ⁴Reward Rodeo: They agree to pay a bounty and always follow through, responding to follow-up emails promptly.
• ⁵No fix, no issue: Bug is triaged as CVSS 0 or no impact, and it’s not fixed since it was correctly identified as non-impactful.
• ⁶Chatty Champs: They run a responsive program, they reply to researchers quickly, usually within 1 month or less.
• ⁷Scope Snoopers: They maintain a well-organized and regularly updated list of in-scope and out-of-scope assets, ensuring that all researchers have clear guidance on which targets are eligible for bug submissions.
• ⁸Reward Tortoise: Patience is key for researchers, as they can expect their rewards to arrive eventually, even if it takes a much longer than anticipated. BUT THEY PAY!