Security researchers spend a lot of time and effort hunting bugs and writing up submissions. Therefore, it is often a good idea to offer goodwill payouts to whitehats even when a submission misses the mark. Doing so is a demonstration of good faith and it will often motivate hackers to continue hunting bugs for your program.
When should we offer goodwill payouts?
Generally, it is good practice to offer a goodwill payout when a whitehat submits an out-of-scope report that doesn't require a fix, but you want to encourage them to continue hunting for your bug bounty program. You may also choose to reward a whitehat for submissions that provide informational value or that are the result of substantial effort.
Do we have to pay the 10% Immunefi fee for goodwill payouts?
Is there anything else we need to do for goodwill payouts? What about the severity level and report status?
Once you and the whitehat have agreed on the goodwill payment, you should change the severity level of the report to 'None.' This signals that the report is not within the scope of the program.
You should also set the report status to 'Paid' rather than 'Closed'. This helps to ensure accurate tracking and documentation of goodwill transactions.
Comments
0 comments
Article is closed for comments.