Bug Bounty HQ Points System
Bug Bounty HQ understands, that to many researchers, points are extremely important. The points system designed for Bug Bounty HQ are far more fairer than other platforms and more representative of each resolved issue.
In the RTU you will notice the following columns - Reports / P Class / Awards / Duplicates
Reports carry a maximum of 10 points. Each time more information is requested before the issue is triaged, 2 points are deducted. So good information and a POC in your original report will ensure you gain the maximum award
P Class (Priority Classification) carries a maximum of 10 points. When a company creates their bug bounty program, they assign risk ratings to varying forms of vulnerabilities based on their own classifications. One type of bug for one company may carry a different classification to another company. So assuming a Remote Code Execution vulnerability, this will always carry a P1 rating, this would be automatically awarded 10 points. A CSRF attack may carry a P3 rating, this awards 6 points. A P6 rating has an award rating of 0 points.
Awards are simply based on $100 = 1 point. On other platforms, max points have a ceiling regardless of the amount paid. Also, on one program a $500 bounty may carry the max points and on another program $500 will award the minimum. This system is extremely flawed. On Bug Bounty HQ, if you are awarded $15,000 for an issue, you are awarded 150 points, $50.00 awards you 0.5 points. All fractions are stored within the database until they make a whole number and are then added to your award total
Duplicates, the most hated word of any bug hunter. Again, Bug Bounty HQ believe duplicates are treated badly in terms of points on other platforms. On these platforms, you get zero points, whereas on Bug Bounty HQ you receive the same amount of points the original issue gained in their award. As an example, you have submitted a duplicate SQLi vulnerability. The original reporter is awarded $5,000 therefore receiving 50 Award points. You will also be awarded the same 50 points.
Negative 10 points are "awarded" for issues that are out of scope or are considered spam by the program team members. Always remember to read the program rules first before diving in.
Private Programs carry no points. Again, this is to remain fair to the researcher community unlike the other platforms. On the other platforms, the top 100 keep getting invited to private programs allowing them to accumulate even more points making it more difficult for other researchers. This evens the playing field allowing all researchers the opportunity to make it into the top 100 researchers.
Removal from the platform. One of the biggest complaints of bug bounties is signal - noise ratio. Bug Bounty HQ is aware that some researchers simply "carpet bomb" programs, with many of their submissions either out of scope or just not applicable. To prevent this, an approach is taken by Bug Bounty HQ, that should you receive negative total of 200 points within a 365 day period you will be removed from the platform for a period of 6 months. As long as you are reading the scope correctly, in theory, you should never receive a negative 10 for a bug submission. Please ensure you read all program rules and scope prior to participating.