Setting Bounty Tables
Your bounty table needs to make economic sense for both sides. A researcher who spends 20 hours finding a critical vulnerability on your platform and gets paid $200 will not come back. A researcher who spends 2 hours on a low-severity finding and gets paid $5,000 has found an inefficiency you should fix in your scope.
General Guidance
Starting ranges for a first bounty table:
| Severity | Starter Range | Competitive Range |
|---|---|---|
| Critical | $2,000 - $5,000 | $10,000 - $50,000+ |
| High | $1,000 - $2,500 | $5,000 - $15,000 |
| Medium | $250 - $750 | $1,000 - $5,000 |
| Low | $50 - $150 | $250 - $1,000 |
Where you land depends on your industry, asset value, and what you're protecting. A fintech handling payments should pay more than a content site. The data behind a login is worth more than a marketing page.
Competitive Benchmarking
Look at comparable programs on the platform. Researchers compare bounty tables. If your competitor pays 3x what you do for the same vuln class, researchers will hunt on their program, not yours.
Most platforms publish statistics on average payouts by severity. Use these as a baseline, then adjust based on what you're protecting. A vulnerability that exposes payment card data is worth more than one that exposes a marketing email list, even if both are technically "high severity."
Common Pricing Mistakes
Underpaying relative to asset value. If you're a billion-dollar company offering $100 for a critical, researchers notice. They'll test competitors who pay fairly instead. Underpaying doesn't save money because the vulnerabilities still exist, you just don't hear about them.
Flat rates with no ranges. Giving triagers discretion within a range (e.g. $1,000-$2,500 for high) lets you reward exceptional reports without renegotiating every time. A researcher who provides a full exploit chain with business impact analysis deserves more than one who submits a bare-bones proof of concept.
Never revising the table. Your first bounty table will be wrong. Review it after the first quarter. Are you getting the volume and quality you expected? If not, adjust. Programs that haven't updated their table in two years signal to researchers that nobody's paying attention.
Bonuses and Incentives
Beyond the base table, consider:
- Bonus payouts for exceptional impact. When a researcher finds something that saves you from a breach, pay above the table. They'll remember, and they'll keep hunting.
- Bounty multipliers for high-value targets. If your payment API is the crown jewel, offer 2x bounties for findings on that specific asset. You'll see more activity on that asset fast.
- Seasonal incentives. Some programs run time-limited campaigns with increased bounties to drive activity during quiet periods or on newly deployed features.