What do bug bounty programs expect from me?

Some of these points may seem obvious, but they are key to good-natured interactions with bug bounty programs.


Always respect the team. If you are unhappy with a decision they made, start by communicating your concerns clearly to the team, and then if they are not willing to help you further you may decide what to do next. On a side note, feedback is very often welcome — even in public form — as long at is constructive. Nobody is going to listen to you if you just start ranting on Twitter about how disappointed you are with a program's final decision.

Play by the rules and know your boundaries

Rules are rules, especially in the information security industry. Not abiding by the rules can even mean major consequences such as a company taking legal action against you. This is why you should also familiarise yourself with your legal boundaries. "Coders’ Rights Project Vulnerability Reporting FAQ" by the Electronic Frontier Foundation and following Amit Elazari's work on legal safe harbours for hunters is a good starting point.

High-quality reports

A good report will help the bug bounty program evaluate the severity of your finding and aid them in resolving the issue swiftly. Make sure you follow the points raised in "What does a good report look like?".