Unlock the State of Pentesting 2023! Explore 3,100 pentests with expert insights on vulnerabilities, security challenges, & maximizing pentest value.

Bug Bounty Program Best Practices

We often are asked how's the best way to work with incoming reports on a bug bounty program. Below are some of the best practices we have…

We often are asked how’s the best way to work with incoming reports on a bug bounty program. Below are some of the best practices we have found while running our own program. We have divided them into three sections: initial actions, determining criticality, evaluating, and final actions after reporting. Using these insights has given us great value as program runners, as well as helped us attract and continually engage the best researchers to our platform and the web at large.

If we could only say one thing to program owners it would be to communicate with your researchers through the comments and evaluation fields. Make them understand why you are doing something and when. This will encourage the best responses, feedback, and retention of talent on your program.

With that in the back of your mind, please also consider the following best practices:

What to Do Initially When You Receive a Report

Perform your triaging (reproduce the Proof Of Concept) and do the following based on your findings:


Evaluation and Criticality

When evaluating reports, how are the various categories defined? Here’s a brief guide:


In addition to the evaluation we always recommend giving written feedback — this is the best to show appreciation and engagement towards the researcher community.

After Evaluation

To keep track of whether a rewarded report has been fixed or not we recommend to use our labelling system and/or our integrations with Github or Jira.

When a report has been fixed it is good practice to write a comment to the researcher telling them so — that way they can check to see if it is in fact patched. It is up to you if you want to reward this extra check by the researcher via our tipping feature.


When a report has been evaluated the business (and the researcher) will have possibility to publicly disclose it. Disclosing a vulnerability report, once patched, is a great way to share security knowledge, acknowledge the researcher’s work and show the world you’re being pro-active about your security.

Happy Evaluating!

Back to Blog
About Julie Kuhrt
Julie Kuhrt is a former community content manager at Cobalt. With nearly a decade of experience across community and marketing teams, Julie brought a wealth of expertise and experience to her programs at Cobalt. More By Julie Kuhrt