Share this blog:

Changing the way Zerocopter rewards

At Zerocopter, we are continuously learning and improving to optimize the experience for both our customers and our researchers. Sometimes these optimizations are small, sometimes big, sometimes noticed, sometimes completely unnoticed. As the feature we are releasing this time will be big AND noticeable we want to explain it more in depth to you.

When we launched Zerocopter back in 2015 we introduced a way of rewarding bug bounty researchers using fixed rewards based on the category of the vulnerability. This worked. The bug bounty industry was new and confusing and we needed a way to make bug bounties more accessible for the “mainstream”. 

However, over the years the bug bounty industry has gained more traction and by now you could almost call it an industry standard. Bug bounties are more and more incorporated in business processes, companies see the added benefits, researchers specialize more and invest a lot of time in studying, testing and learning to find the most and/or best bugs. For their own reputation, income, curiosity and their fight in making the world a safer place.


That’s why we’re changing the way that we determine bounties. To give an example of what changed; previously the reward of a bounty would be linked to a very specific category. This is helpful for researchers because they immediately know what the reward for a report will be. The downside is that it’s hard to maintain. Researchers keep finding new innovative ways to exploit vulnerabilities in systems. The researcher's time to report gets delayed when in certain situations a new category needs to be added and we need to determine the appropriate severity, category and reward for that specific vulnerability. Which, for example, could also have a different impact in different types of infrastructure or business risks. 

On the 28th of April 2021 we’re introducing a new way. From then on the reward of a report will be determined by the severity of the report. We are implementing a CVSS-calculator to help determine this severity. The available severities will be Info, Low, Medium, High and Critical. Each severity has a minimum reward. This allows rewards that are more fair towards the organization running the bug bounty program and the researcher. No more fixed prices based on static bug descriptions. Prices based on impact and severity. And of course customers can still give a bonus. Or choose the higher payout amount based on market value.

CVSS-calculator


The new reward flow works as follows:

  • When researchers submit a report they will set the severity of the report based on their beliefs or use the CVSS-calculator.
  • The Zerocopter triage team will evaluate the severity, category, content and  determine if the reward is in coherence with the severity of the report.
  • If the report is triaged by Zerocopter, customers can validate the report themselves, and decide if they agree with our determination of the severity.
  • Customers set the reward and Zerocopter will handle the rest from there.
Add a reward


Next to all this, there will be some additional changes to support the new rewards flow. Some flows might slightly change. We are adding the severity critical and when you choose a reward the payment will be scheduled immediately. But all of this is to make the Zerocopter experience, and even the general bug bounty experience, much more fun -and fair- for everybody involved. Customers, hackers, consultants and cats. Let’s do this: ONE STEP BEYOND! #onestepbeyond

Act 1 - Security Theater in Play

Digital defense in need of a larger vision by greater people

Edwin van Andel on Coordinated Vulnerability Disclosure and NIS2

What is template injection?

What's the key to a successful Coordinated Vulnerability Disclosure process?

Let's talk about Local File Inclusion

What is Cross Site Request Forgery?

Let's talk about SQL Injection

What is an Insecure Direct Object Reference (IDOR)?

What is cross-site scripting (XSS)?

Reporting tips: using Markdown to make your report look better

Reporting tips: setting the severity of a report with the CVSS calculator

New guide from Cybersprint: This is how you hack a city

Why having a #FirstAidKit is not enough for proper cyber security - but does help!

Don’t let vulnerabilities become your weakness: implement a Coordinated Vulnerability Disclosure program

New buyer's guide from Cyber Safe Netherlands

Changing the way Zerocopter rewards

Zerocopter Recon - the ultimate start for organizations

When a fun idea spirals out of control - The Office Bug Bounty Game

How to deal with a vulnerability reported by an ethical hacker?

This is how hackers investigate your online security

Why letting your website get hacked makes it safer - Responsible disclosure

Why you should get yourself hacked by a group of hackers you don't know

Bollo. The quest for a Zero-day scanner

Written by Zerocopter

April 26, 2021

Share this blog:

Next blog

Changing the way Zerocopter rewards

Heading

Want to know everything about Zerocopter?

Download our brochure
Zerocopter brochure - Always one step beyond
Zerocopter logo
Login
Contact
For companies
Bug Bounty Program
Coordinated Vulnerability Disclosure
How we work
Platform
Dedicated Hacker Time
Pricing
Zerocopter for
Researchers
CEO
CISO
CFO
CTO
About Zerocopter
About us
Events
Contact
Careers
Resources
All resources
Downloads
Customers
Blogs
News
FAQ

Stay up to date!

Sign up for the newsletter

Terms & Conditions
Privacy and cookie policy
Coordinated Vulnerability Disclosure
© Zerocopter B.V.