What do bug bounty hunters expect from a program?

In a survey that I conducted, bug bounty hunters mentioned the following expectations.

Fast response times

Hunters love efficient programs with lightning-fast response times. Make sure to include a realistic service-level agreement in your security policy and stick to it. Something along these lines is mouth watering for a hunter:

Pay on triage

You will often see bug bounty hunters using the expression "pay on triage". This is to encourage programs to reward hunters as soon as they are able to reproduce the issue. One way of accomplishing this is to pay based on the technical severity — the priority — on triage and then once you have determined the overall impact pay the rest of the bounty based on the overall severity.


Since a lot of things in the bug bounty industry are based on trust, being transparent will help you gain the trust of the hunter.

Clear scope

Although this can be difficult under certain circumstances, in order for your program to guarantee liability of the assets being targeted, you must ensure that you have a clearly-defined scope.