At Zerocopter, we are continuously learning and improving to optimize the experience for both our customers and our researchers. Sometimes these optimizations are small, sometimes big, sometimes noticed, sometimes completely unnoticed. As the feature we are releasing this time will be big AND noticeable we want to explain it more in depth to you.
When we launched Zerocopter back in 2015 we introduced a way of rewarding bug bounty researchers using fixed rewards based on the category of the vulnerability. This worked. The bug bounty industry was new and confusing and we needed a way to make bug bounties more accessible for the “mainstream”.
However, over the years the bug bounty industry has gained more traction and by now you could almost call it an industry standard. Bug bounties are more and more incorporated in business processes, companies see the added benefits, researchers specialize more and invest a lot of time in studying, testing and learning to find the most and/or best bugs. For their own reputation, income, curiosity and their fight in making the world a safer place.
That’s why we’re changing the way that we determine bounties. To give an example of what changed; previously the reward of a bounty would be linked to a very specific category. This is helpful for researchers because they immediately know what the reward for a report will be. The downside is that it’s hard to maintain. Researchers keep finding new innovative ways to exploit vulnerabilities in systems. The researcher's time to report gets delayed when in certain situations a new category needs to be added and we need to determine the appropriate severity, category and reward for that specific vulnerability. Which, for example, could also have a different impact in different types of infrastructure or business risks.
On the 28th of April 2021 we’re introducing a new way. From then on the reward of a report will be determined by the severity of the report. We are implementing a CVSS-calculator to help determine this severity. The available severities will be Info, Low, Medium, High and Critical. Each severity has a minimum reward. This allows rewards that are more fair towards the organization running the bug bounty program and the researcher. No more fixed prices based on static bug descriptions. Prices based on impact and severity. And of course customers can still give a bonus. Or choose the higher payout amount based on market value.
The new reward flow works as follows:
When researchers submit a report they will set the severity of the report based on their beliefs or use the CVSS-calculator.
The Zerocopter triage team will evaluate the severity, category, content and determine if the reward is in coherence with the severity of the report.
If the report is triaged by Zerocopter, customers can validate the report themselves, and decide if they agree with our determination of the severity.
Customers set the reward and Zerocopter will handle the rest from there.
Next to all this, there will be some additional changes to support the new rewards flow. Some flows might slightly change. We are adding the severity critical and when you choose a reward the payment will be scheduled immediately. But all of this is to make the Zerocopter experience, and even the general bug bounty experience, much more fun -and fair- for everybody involved. Customers, hackers, consultants and cats. Let’s do this: ONE STEP BEYOND! #onestepbeyond