about

Bug Bounty Program basics
for Companies

Faq on Hiring Hackers

about

How do I tell hackers what I want?

Create your own security program page with instructions for hackers: what targets are in scope, what types of findings are eligible, what types are not, what rewards you will be paying, what behaviors are acceptable, and what the ideal vulnerability report should look like. Start with Antihack.Me's template, ask for help if you want it, modify as needed.

How do I decide how much to offer hackers?

Set bug bounty awards by technical classification of the bug and severity of its possible impact. We recommend a minimum of $100. The average is around $500. To get attention from the world's best hackers, pay more than the platform average.

about
about

Who are the hackers?

Your hackers (also called security researchers) are selected from the top tier of Antihack.Me. You can invite your own hackers, or Antihack.Me can customize your invitations for your specific needs. Your program starts private but can be made public.

How soon do I get vulnerability reports?

Expect vulnerability reports in your inbox from Day 1. The average customer should receive an average of 3 vulnerability reports or more in the first 2 weeks.

about
about

What happens when a report comes in?

Review the report for validity, using the report's proof of concept and the hacker's Reputation on Antihack.Me. If valid, fix the vulnerability on your own schedule.

How does the hacker get paid for valid reports?

For valid bugs, Antihack.Me handles the paperwork and payment to a hacker.

about
about

How do we know the bug bounty program is successful?

When you receive valid submissions, you know that your program is working. The sooner your engineering team can fix the bugs found, the more secure your system will be. When you deploy new software, you may want to offer new bounties to encourage repeat hackers to spend their time on you again.