Bugbop with spider-like logo

Program Management

Learn how to effectively manage your bug bounty program with Bugbop

← Back to Documentation
Related Pages

Program Setup

Setting up a successful bug bounty program requires careful planning and clear communication. This section covers the essential steps to configure your Bugbop program effectively.

Creating Your Program

To create a new program in Bugbop:

  1. Navigate to the "My Programs" section in the main navigation
  2. Click the "Create New Program" button
  3. Fill in the required information:
    • Program Name: Your organization or product name
    • Description: A detailed explanation of your program
    • Program URL: The main website for your product or service
    • Program Logo: Upload a high-quality logo (recommended size: 400x400px)
  4. Click "Create Program" to complete the initial setup
Important: Once created, your program will be set to "Private" by default. A paid plan is required to list your program publicly on Bugbop.

Visibility Options

Bugbop offers multiple visibility options to control who can see and participate in your program:

Visibility Who Can See Who Can Join Best For
Private Only invited users Only invited users Initial setup, sensitive programs, targeted testing
Restricted All authenticated users Users who request access and are approved Controlled growth, vetted researcher access
Public All authenticated users All authenticated users Maximum coverage, established programs
Closed Only invited users Existing members but Bug Reports cannot be submitted Temporary pauses, program restructuring

Team Management

Building an effective team to manage your bug bounty program is essential for success. Bugbop provides role-based access to help you delegate responsibilities appropriately.

Available Roles

  • Owner: Full administrative access, cannot be removed
  • Admin: Full access to program settings and reports
  • Triager: Can process and respond to reports, cannot change program settings
  • Viewer: Read-only access to reports and program information

Adding Team Members

To invite colleagues to your program team:

  1. Navigate to your program settings
  2. Select "Team Members"
  3. Click "Invite Team Member"
  4. Enter their email address
  5. Select the appropriate role
  6. Add a personalized message (optional)
  7. Click "Send Invitation"

The invited user will receive an email with instructions to join your program team.

Bug Hunter Management

Building relationships with security bug hunters is key to a successful bug bounty program. Bugbop provides tools to help you manage your researcher community effectively.

Inviting bug hunters

For private or restricted programs, you can directly invite bug hunters:

  1. Go to your program dashboard
  2. Select "Bug Hunters"
  3. Click "Invite Bug hunter"
  4. Enter their email address or Bugbop username
  5. Add a personalized invitation message
  6. Send the invitation

Managing Access Requests

For both restricted and invite-only programs, you'll need to review access requests:

  1. Navigate to "Bug Hunters" in your program dashboard
  2. Select the "Access Requests" tab for restricted programs or "Invite Requests" tab for invite-only programs
  3. Review each request, including:
    • Bug hunter profile and history
    • Their reason for requesting access
    • Any relevant skills or experience
  4. Approve or reject each request
  5. Provide feedback for rejected requests (optional but recommended)

Bounty Structure

A clear and fair bounty structure helps attract and retain skilled bug hunters. Bugbop allows flexible bounty configurations to match your budget and priorities.

Setting Bounty Ranges

To configure your bounty structure:

  1. Go to your program settings
  2. Select the "Bounties" tab
  3. Set bounty ranges for each severity level:
    • Critical: Highest impact vulnerabilities (e.g., $1,500 - $5,000)
    • High: Significant security issues (e.g., $500 - $1,500)
    • Medium: Moderate risk vulnerabilities (e.g., $100 - $500)
    • Low: Minor security concerns (e.g., $50 - $100)
  4. Save your changes

Budget Management

Bugbop provides comprehensive budget management features to help you control bounty expenditures and maintain program sustainability.

Bounty Types

When creating or editing a program, you can choose from three bounty types:

  • No Bounty - Acknowledgment only; no monetary or credit rewards
  • Cash - Money paid directly to bug hunters for validated reports
  • Swag/Credit - Non-cash rewards like merchandise, gift cards, or platform credits

Budget Periods

You can set budget periods to control when your budget resets:

  • Monthly - Budget resets on the first day of each month
  • Yearly - Budget resets on January 1st each year
  • Total / Once-off - No time-based budget reset
  • Manual / No budget - The program bounties are manually paused/unpaused via the program settings

Dynamic Report Limits

Bugbop intelligently calculates the maximum number of open reports your program can handle based on your remaining budget and maximum bounty amount.

For example:

  • If your monthly budget is $10,000 and your maximum bounty is $2,000, initially you can have up to 5 open reports
  • After paying a $2,000 bounty, your remaining budget is $8,000, so you can have up to 4 open reports
  • If you have more than 4 open reports at this point, bounties will be automatically paused
The system ensures you always have budget for at least one report, even if your remaining budget is less than your maximum bounty amount.

Automatic Bounty Pausing

Bugbop's dynamic budget management system helps you control bounty expenditures and prevent budget overruns:

  • Budget Limits: Bounties pause when budget limits are reached
  • Report Limits: Bounties pause when too many reports are open
  • Smart Notifications: Staff receive alerts 3 days before budget resets
  • Automatic Resume: Bounties automatically resume when budget resets or reports are closed

Awarding Bounties

When awarding bounties for valid reports:

  1. Navigate to the report in your dashboard
  2. Review the impact and quality
  3. Click "Award Bounty"
  4. Enter the bounty amount
  5. Add a note explaining your decision (recommended)
  6. Confirm the payment

Non-Monetary Rewards

If you can't offer monetary bounties, consider alternative incentives:

  • Public Recognition: Hall of fame, researcher spotlights
  • Points/Reputation: Status within your program community
  • Swag: Merchandise, gift cards, or company products
  • References: Professional references for bug hunters
  • Special Access: Early access to new features or products

Suggested Bounty Ranges

The bounty amounts you offer directly impact the level of testing interest and researcher engagement your program will receive. Below is a guide to industry norms and what to expect at different reward tiers:

Entry Level Programs

Bounty Ranges:
  • Critical: $100-$500
  • High: $50-$350
  • Medium: $25-$200
  • Low: Thanks ($0)-$50
What to Expect:

Low to moderate testing interest, primarily from beginners and hobbyists. Best for small startups and initial programs.

Growing Programs

Bounty Ranges:
  • Critical: $500-$2,000
  • High: $350-$1,400
  • Medium: $200-$800
  • Low: $50-$200
What to Expect:

Moderate testing interest from a mix of hobbyists and part-time bug hunters. Suitable for growing startups and medium-risk applications.

Established Programs

Bounty Ranges:
  • Critical: $2,000-$10,000+
  • High: $1,400-$5,000
  • Medium: $800-$2,000
  • Low: $200-$500
What to Expect:

High testing interest from professional bug hunters and security researchers. Attracts experienced researchers who can find complex vulnerabilities.

Best Practices

Based on successful bug bounty programs, here are recommended best practices:

Communication

  • Be responsive: Aim to acknowledge new reports within 24-48 hours
  • Provide regular updates: Keep bug hunters informed about the status of their reports
  • Be transparent: Clearly explain your decisions, especially for rejected reports
  • Use templates: Create response templates for common scenarios to ensure consistency

Program Management

  • Start small: Begin with a limited scope and expand gradually
  • Define clear rules: Set explicit expectations about testing methods and scope
  • Provide testing resources: When possible, offer sandbox environments
  • Conduct regular reviews: Periodically assess and update your program settings
  • Be adaptable: Adjust your scope, rewards, and processes based on feedback and results

Building Bug hunter Relationships

  • Show appreciation: Thank bug hunters for valid reports, even if the impact is low
  • Provide constructive feedback: Help bug hunters improve their reports
  • Recognize top contributors: Highlight your most valuable bug hunters
  • Consider bonus rewards: Offer additional compensation for exceptional reports
  • Solicit feedback: Ask bug hunters how you can improve your program
Success Strategy: The most successful bug bounty programs view bug hunters as partners, not vendors. Building strong relationships with your researcher community leads to higher quality reports and more effective vulnerability discovery.

Need Help Managing Your Program?

Our security experts can guide you through setting up and managing an effective bug bounty program tailored to your organization's needs.

Start Your Bug Bounty Program Book a Call