| Term | Definition |
|---|---|
| Bug bounty | A reward given for reporting a security vulnerability. |
| Bug bounty program | Companies or individuals that reward security researchers for reporting security vulnerabilities in their products. This term is commonly abbreviated to "BBP". |
| Bug bounty hunter | An individual that hunts for security issues on bug bounty programs. |
| Duplicate | A report describing the same issue as a previously submitted report is referred to as a "duplicate". Bug bounty platforms usually allow programs to set the status of a duplicate report to "duplicate" to inform the hunter that the issue has been submitted previously. |
| Full disclosure | When the entire report is publicly disclosed. Bug bounty hunters will usually request public disclosure of their report once the issue has been resolved or a certain number of days have gone by since the initial report. |
| Partial disclosure | When a report is publicly disclosed, but certain details are redacted. |
| PoC | Abbreviation for proof of concept, a detailed demonstration of a security vulnerability. |
| Waves | This is a term that EdOverflow uses to describe the phenomenon whereby a low-quality report is rewarded on a program, then disclosed, and all of a sudden a ton of programs are flooded with copy-pasted versions of that report. |
| Scavenging | This is another term that EdOverflow uses to refer to hunters that wait for publicly disclosed reports to verify that the patch does in fact resolve the issue; making sure there are no bypasses. This is one good reason for disclosing reports publicly, it allows hunters to double-check your fix. |