Bugbop with spider-like logo

Bounty Budgeting

Setting Bounty Budgets

Bugbop now allows programs to set minimum and maximum bounty amounts, enabling better budget management for your bug bounty program. This feature helps set clear expectations with bug hunters and enables automatic pausing of bounties when your maximum budget is reached.

Bounty Types

When creating or editing a program, you can choose from three bounty types:

  • No Bounty - Acknowledgment only; no monetary or credit rewards
  • Cash - Money paid directly to bug hunters for validated reports
  • Swag/Credit - Non-cash rewards like merchandise, gift cards, or platform credits

Setting Bounty Ranges

For Cash or Swag/Credit bounty types, you can set minimum and maximum amounts:

  • Minimum Bounty - The lowest amount you'll award for a valid bug (e.g., $50)
  • Maximum Bounty - The highest amount you'll award for a critical vulnerability (e.g., $5,000)

Industry Standard Bounty Ranges

The following table shows typical bounty ranges by program tier and vulnerability severity based on industry standards:

Program Tier Low Severity Medium Severity High Severity Critical Severity
Token Thanks only $50 - $100 $100 - $250 $250 - $500
Low Thanks only $100 - $300 $300 - $750 $750 - $1,500
Medium $50 - $150 $300 - $750 $750 - $2,000 $2,000 - $5,000
High $100 - $300 $500 - $1,000 $1,500 - $4,000 $5,000 - $10,000
Exceptional $250 - $500 $1,000 - $2,500 $5,000 - $10,000 $10,000 - $50,000+

Note: Setting clear bounty ranges helps bug hunters understand your program's value proposition and can attract more quality submissions. Consider your organization size, security maturity, and budget when selecting a tier.

Dynamic Budget Management

Bugbop's dynamic budget management system helps you control your bounty expenditures through automated monitoring and intelligent budget allocation. This system works based on your defined budget parameters and automatically manages bounty availability.

Budget Periods

You can set budget periods to control when your budget resets:

  • Monthly - Budget resets on the first day of each month
  • Yearly - Budget resets on January 1st each year
  • Unlimited - No time-based budget reset

Dynamic Report Limits

Bugbop intelligently calculates the maximum number of open reports your program can handle based on your remaining budget and maximum bounty amount.

For example:

  • If your monthly budget is $10,000 and your maximum bounty is $2,000, initially you can have up to 5 open reports
  • After paying a $2,000 bounty, your remaining budget is $8,000, so you can have up to 4 open reports
  • If you have more than 4 open reports at this point, bounties will be automatically paused

Tip: The system ensures you always have budget for at least one report, even if your remaining budget is less than your maximum bounty amount.

Automatic Bounty Pausing

To protect against unexpected budget overruns, Bugbop automatically pauses bounties under the following conditions:

  • When your spent bounty reaches your defined budget limit
  • When the number of open reports exceeds the maximum allowed based on your remaining budget
  • When manually triggered by a program administrator

When bounties are paused:

  • A "PAUSED" indicator appears on your program page
  • Notifications are sent to all program participants and subscribers, including the reason for pausing
  • Bug reports can still be submitted, but no new bounties will be paid until resumed

Automatic Resuming

Bugbop automatically resumes bounties when:

  • A new budget period begins (e.g., start of a new month for monthly budgets)
  • The number of open reports drops below the maximum allowed based on remaining budget
  • The budget amount is increased, allowing for more open reports

Manual Resuming

Program administrators can manually resume bounties at any time by clicking the "Resume" button (play icon) next to the bounty status. This will automatically notify all participants and subscribers that bounties are active again.

Advance Budget Notifications

Program staff receive advance notifications 3 days before a budget is scheduled to reset. This helps teams prepare for potential increases in report volume when bounties automatically resume.

Best Practice: Review your open reports before a budget reset to ensure you're prepared for the automatic resumption of bounties.

Subscribing to Bounty Status Updates

Bug hunters who are not part of a program can subscribe to receive notifications about bounty status changes. This helps them stay informed about when a program's bounties are paused or resumed.

To subscribe to a program:

  1. Visit the program page
  2. Click the "Subscribe" button in the Notifications section

You'll receive in-app notifications and emails whenever the program's bounty status changes.

Important: Only subscribe to programs you're actively interested in to avoid notification fatigue.