Bugbop with spider-like logo

Program Management

Managing your bug bounty program on Bugbop

← Back to Documentation
Related Pages

Program Setup

Creating Your Program

Go to "My Programs" and click "Create New Program". You will need to provide:

  • Program Name: Your organization or product name
  • Website URL: The main website for your product or service
  • Description & Scope: What Bug Hunters should test and what is out of scope
  • Logo: Optional. If not provided, your program will display a favicon or initial placeholder
Important: All new programs start as Private. A paid plan is required to list your program publicly on Bugbop.

Visibility Options

All new programs start as Private. You can change visibility after upgrading to a paid plan.

Private

Not listed anywhere on Bugbop. Only users you explicitly invite can see the program or submit Bug Reports. This is the default for all new programs.

Public

Listed on the Public Programs page and open to all Bug Hunters. Any authenticated user can join and submit Bug Reports without approval.

Restricted Access

Listed on the Public Programs page, but Bug Hunters must request access and be approved before submitting Bug Reports. This is useful for non-public systems where you need to provision user accounts, set up test environments, or provide credentials before a researcher can begin testing. You can configure a custom access request template and acceptance message to guide researchers through onboarding.

Closed

Only visible to already-enrolled users. No new Bug Reports can be submitted. Useful for temporarily pausing intake while you work through a backlog or restructure your program.

Team Management

Roles

  • Owner: Full administrative access, cannot be removed
  • Admin: Full access to program settings and reports
  • Triager: Can process and respond to reports, cannot change program settings
  • Viewer: Read-only access to reports and program information

Adding Team Members

From your program page, go to the "Users" tab and click "Invite User". Enter their email address and select a role. They will receive an email invitation to join.

Bug Hunter Management

Inviting Bug Hunters

For private or restricted programs, go to the "Bug Hunters" tab and click "Invite Bug Hunter". Enter their email address or Bugbop username.

Managing Access Requests

For restricted programs, pending access requests appear in the "Bug Hunters" tab. You can review each request and approve or reject it from there.

Bounty Structure

Bounty Types

  • No Bounty: Acknowledgment only, no monetary rewards
  • Cash: Money paid directly to Bug Hunters for validated reports
  • Swag/Credit: Non-cash rewards like merchandise or gift cards

Setting Bounty Ranges

Bounty ranges are configured in the program edit form under "Bounty Range Settings". Set a minimum and maximum for each severity level (Critical, High, Medium, Low).

Awarding Bounties

To award a bounty, open the report and click "Edit". Set the bounty amount and save. The Bug Hunter will be notified of the award.

Budget Management

Budget Periods

  • Monthly: Budget resets on the first of each month
  • Yearly: Budget resets on January 1st
  • Total / Once-off: A fixed budget with no automatic reset
  • Manual / No budget: Bounties are manually paused and unpaused via program settings

Automatic Bounty Pausing

Bugbop automatically pauses bounties when your budget is exhausted and resumes them when budget becomes available (e.g., after a budget period reset or when reports are closed).

Suggested Bounty Ranges

The bounty amounts you offer directly impact the level of testing interest your program receives.

It is common to start with lower bounties and increase them over time as your application becomes more secure and bugs become harder to find. Higher bounties attract more experienced researchers.

Consider setting the minimum for Low severity to $0 (thanks only). This avoids paying out for low-impact or informational findings that may not warrant a cash reward, while still acknowledging the researcher's effort.

Starter

SeverityRange
Critical $100 - $500
High $50 - $350
Medium $25 - $200
Low $0 - $50

Mostly beginners and hobbyists. Be aware that at this level, even a small bounty is enough incentive for researchers to run automated scanning tools against your assets and submit whatever they find.

Established

SeverityRange
Critical $500 - $2,000
High $350 - $1,400
Medium $200 - $800
Low $0 - $200

A mix of hobbyists and part-time bug hunters willing to do manual testing. Good for growing startups and medium-risk applications.

Premium

SeverityRange
Critical $2,000 - $10,000+
High $1,400 - $5,000
Medium $800 - $2,000
Low $0 - $500

Attracts professional bug hunters and security researchers capable of finding complex vulnerabilities.

Best Practices

Communication

  • Acknowledge new reports within 24-48 hours
  • Keep Bug Hunters informed about report status changes
  • Explain your decisions clearly, especially for rejected reports

Program Management

  • Start with a limited scope and expand gradually
  • Set clear expectations about testing methods and what is in/out of scope
  • Where possible, offer sandbox or staging environments for testing
  • Review and update your program settings periodically

Working with Bug Hunters

  • Thank Bug Hunters for valid reports, even low-impact ones
  • Provide constructive feedback to help improve report quality
  • Consider bonus rewards for exceptional findings

Need Help Managing Your Program?

Our security experts can guide you through setting up and managing an effective bug bounty program tailored to your organization's needs.

Start Your Bug Bounty Program Book a Call