Bugbop with spider-like logo

Bug Hunter Guide

Finding programs, reporting bugs, and getting paid.

← Back to Documentation

Getting Started as a Bug Hunter

Step 1: Setting Up Your Profile

Complete your profile and set up your payment details so you can receive bounty payments.

Step 2: Finding Programs

  1. Browse the "Public Programs" directory
  2. Read program policies carefully before participating
  3. Join programs that match what you're good at

Step 3: Understanding Program Details

Each program has specific scope and rules. Read these sections before you start testing:

  • Scope: What assets are included/excluded
  • Rewards: Bounty ranges for different severity levels
  • Rules: Program-specific guidelines and expectations
  • Out of Scope: Vulnerability types not eligible for rewards

Step 4: Testing for Vulnerabilities

  • Only test assets explicitly listed in scope
  • Never attempt destructive testing or DoS attacks
  • Respect rate limits and avoid excessive automated scanning
  • Document your findings with clear reproduction steps

Step 5: Submitting Your Bug Report

  1. Navigate to the program page
  2. Click "Submit Report"
  3. Include:
    • Descriptive title: Summarize the issue clearly
    • Affected asset: Specific URL or component
    • Steps to reproduce: Detailed instructions
    • Impact: Explain the security implications
    • Suggested fix: If you have recommendations
    • Screenshots/videos: Visual evidence when helpful
  4. Submit one vulnerability per report
  5. Check for duplicates before submitting
Important: Don't publicly disclose vulnerabilities before the program team has fixed them. Doing so will get you removed from the program.

Step 6: Handling Responses

Your report will end up in one of these states:

  • Valid: The team confirms your finding and may award a bounty
  • Needs more info: Provide additional details as requested
  • Duplicate: Someone else reported the same issue first
  • Not applicable: The team determined it's not a security issue or is out of scope

Not every report will be accepted. Be professional about it - arguing rarely changes the outcome.

Step 7: Requesting Payout

Once you have accumulated at least $20 in bounties, you can request payout via the following methods:

  • PayPal: Send an invoice to [email protected] via PayPal (PayPal's documentation).
    If your PayPal's email address does not match your BugBop address, include your BugBop email address in the invoice so we can verify you sent it.
  • Bank Transfer: Send an invoice to [email protected] with your bank details. You will need to verify your identity first (Under: User Profile > Details).
  • Charity Donation: If it's impossible for Bugbop to pay you, you can request that we make a donation to a registered charity in your name.
  • Contact Us: If none of these options work for you, you can Contact Us and we will attempt to find an alternate solution.

Next Steps

Find a program to test

Browse public programs and start submitting reports.

See Public Programs Book a Call