One of the most challenging steps when running a bug bounty program is often determining the bounty amount. The reason is that there are a lot of factors involved during this process.
Bounties should, at the very least, be evaluated based on the overall severity of the security vulnerability. The reason for this is because you are trying to encourage hackers to report their findings directly to you rather than selling them to a third-party or maybe even exploiting the bug. One widely used metric for evaluating the severity of a security vulnerability is the Common Vulnerability Scoring System (CVSS). A bug bounty program's team should be able to understand CVSS scores and calculate them based on a report. It is important to note that the overall severity in CVSS consists of all three metric groups — Base Score, Environmental Score, and Temporal Score — and that all three should be considered when evaluating the bounty amount. CVSS is not perfect by any means, but currently, there are very few alternatives, so we will be sticking to this metric system until a new solution is published.
As seen in "The math behind bug bounties — A formula to calculate bounty amounts.", one way of creating a clear structure when calculating payout amounts is by simply using a mathematical formula. The formula presented in the piece takes your program’s maximum bounty amount and an exponent as input; then it maps the bounty amount to the overall severity of the finding. The output is a list of bounty amounts with their corresponding severity score.
Another aspect that should be considered when determining you bounty amounts is competition. If you really want to encourage the top hunters to participate in your program, you are going to need to stand out from the rest. Competitive bounty amounts are one way of attracting these highly-skilled hunters.