Frequently Asked Questions

YesWeHack links organizations or projects in need of IS security with a crowd of skilled individuals.

First European bug bounty platform that relies on European economic area rules, principles and legislation.

Bounty Factory helps you create a Bug Bounty Program (BBP), also known as a Vulnerability Reward Program (VRP). A BBP is a competitive crowdsourcing initiative that rewards individuals for finding bugs in code (software, web sites, etc.).

YES WE HACK RESEARCHERS help developers to secure their code before it is public. It is usually a preventive security strategy.

A "Bug Bounty" program is a vulnerability scan program that rewards researchers who have found security flaws in the framework defined by the bug bounty program and its perimeter (scope). These vulnerabilities can be rewarded financially or otherwise (bounty).

To help you to create your Bug Bounty Program, you can use our Bug Bounty Program Rules Generator.

A bug bounty program can test the security of a defined perimeter (scope) by the crowd of security experts. The goal is to use a community of ethical experts to strengthen your security continuously and detect vulnerabilities before they are exploited.

The crowd security process is an innovative approach that draws on the expertise of a global community of white hat hacker (HUNTERS) and IT security enthusiasts.

A bug bounty program contains the rules that the hunter will have to adopt in order to contribute and submit security vulnerabilities.

We must at least find there, the perimeter (scope), the rules of eligibility of vulnerabilities as well as those being out of scope.

You can find examples of bug bounty programs on our bug bounty aggregator firebounty.com.

Private Program:
A private program is available by invitation only and enables the selection of participants and their number. You can invite the best hunters based on our rating. (TOP HUNTERS)  Thus, you will ramp up you Bug Bounty Program gradually. You control the tasks set for your teams and your budget. Hunters like private programs because they are the first to participate in your program, and statistically, they have a better chance of finding bugs.

Public Program:
A public program is available to everyone. The entire community can submit bugs.
The rewards that you give hunters are published and bonus amounts are also disclosed if you so desire.
A "Hall of Fame" helps publicly thank hunters that have contributed to your program.

A "Hunter" is an IT security researcher or enthusiast.

Submit the detailed exploitation process of the vulnerability that you've found, and impacts on the target of the program. Attaching screenshots and a proof of concept will be a plus for a better consideration of your report.

As a Hunter, writing the vulnerability report is important, it will allow the representative to quickly validate your bug. Depending on the quality of the report, you will earn style points.

During a bug bounty program, hunters are looking for different types of vulnerabilities. These reports should be assessed by their clarity, their criticality for the perimeter defined in the program.

The amount of the rewards are at full discretion of the manager, but it is common to reward a hunter if the report has imposed a change in the application code.

Once your program lanched in private or in public mode, you will qualify bugs submitted by hunters, performance awards and finally correct the flaw. To be sure to master the workload of your Bug Bounty program, we invite you to visit our page on the Program Manager

The hunters agree to comply with the disclosure rules of the bug bounty program from the moment they validate the terms and conditions of bountyfactory.io and during their enrollment in the program. An out-of-scope vulnerability will likely not be rewarded and the hunter may lose points.

A vulnerability is considered accepted when it has been tested and reproduced by the representative and when it complies with all the rules listed in the Bug Bounty program.

Then, the vulnerability is rewarded according to the rules defined in the bug bounty program.

A "duplicate" is a vulnerability which has already been submited to the program. It can't be considered as valid and it will not be rewarded. However, the hunter still earn a point.

The minimum reward is the minimum reward indicated in the program that will be given to the hunter when a vulnerability report has been validated (non-duplicate).

There is no maximum reward. The amount is at full discretion of the manager.

Spam -10 points
Out-of-scope bug -3 points
Need more infos -1 points
Duplicate bug 1 point
Validated and closed bug 7 points

Each reward brings points as:

Between 1 and 500 € 15 points
Between 501 and 2000 € 25 points
Above 2000 € 50 points

A bonus between 0 and 5 points can be granted by the program according to the quality of the report and employed techniques.

To understand his or her obligations, a Hunter must contact a tax center in his or her country to find out the formal requirements applicable to his or her situation and tax return.

YesWeHack, the company that owns BountyFactory has contracted with European service providers subject to European laws (or European Law). Security measures have been put in place to assure the security of our data using multiple technologies across the entire range of services offered by YesWeHack. Program data is encrypted before they are stored in databases, and only authorized participants in the program have access to such data.

YesWeHack's entire physical infrastructure is hosted in secure data centers belonging to the OVH Group in Europe where physical access is secured using various technical tools and access control methods.

YesWeHack has also signed up for cyber security insurance to add a tool covering cyber risks and give its clients a guarantee. In addition, YesWeHack has an open and active bug bounty program with respect to its own services, including BountyFactory.