Question

What other metrics should you consider when picking a program, besides its asset types and platform? On each bug bounty program’s page, metrics are often listed to help you assess the program. These metrics give insight into how easily you might be able to find bugs, how much you might get paid, and how well the program operates.

除资产类型和平台之外，选择方案时应考虑哪些其他指标？在每个漏洞赏金计划的页面上，通常列出了一些指标来帮助您评估该计划。这些指标揭示了您可能能够轻松发现漏洞的难度程度、您可能获得的报酬金额以及该程序运行的程度。

Program Scope

First, consider the scope. A program’s scope on its policy pages specifies what and how you are allowed to hack. There are two types of scopes: asset and vulnerability. The asset scope tells you which subdomain, products, and applications you can hack. And the vulnerability scope specifies which vulnerabilities the company will accept as valid bugs.

首先考虑范围。一个程序在其策略页面上的范围指定了您被允许进行攻击的内容和方式。两种类型的范围：资产和漏洞。资产范围告诉您可以攻击哪些子域、产品和应用程序。而漏洞范围指定公司将接受哪些漏洞作为有效的错误。

For example, the company might list the subdomains of its website that are in and out of scope:

例如，公司可能列出其网站的子域名，明确界定在范围内和范围外的内容：

In-scope assets

范围内的资产

1. a.example.com
2. b.example.com
3. c.example.com
4. users.example.com
5. landing.example.com

Out-of-scope assets

超出范围的资产

1. dev.example.com
2. test.example.com

Assets that are listed as in scope are the ones that you are allowed to hack. On the other hand, assets that are listed as out of scope are off-limits to bug bounty hunters. Be extra careful and abide by the rules! Hacking an out-of-scope asset is illegal.

在范围内的资产是你被允许攻击的资产。另一方面，被列为不在范围内的资产是禁止赏金猎人攻击的。请格外小心并遵守规定！攻击不在范围内的资产是违法的。

The company will also often list the vulnerabilities it considers valid bugs:

公司还经常列出其认为有效的漏洞：

In-scope vulnerabilities

在范围内的漏洞

1. All except the ones listed as out of scope

Out-of-scope vulnerabilities

超出范围的漏洞

1. Self-XSS
2. Clickjacking
3. Missing HTTP headers and other best practices without direct security impact
4. Denial-of-service attacks
5. Use of known-vulnerable libraries, without proof of exploitability
6. Results of automated scanners, without proof of exploitability

The out-of-scope vulnerabilities that you see in this example are typical of what you would find in bug bounty programs. Notice that many programs consider non-exploitable issues, like violations of best practice, to be out of scope.

在此示例中看到的超出范围漏洞是赏金计划中常见的。请注意，许多计划认为不可利用的问题（如违反最佳实践）超出了范围。

Any program with large asset and vulnerability scopes is a good place to start for a beginner. The larger the asset scope, the larger the number of target applications and web pages you can look at. When a program has a big asset scope, you can often find obscure applications that are overlooked by other hackers. This typically means less competition when reporting bugs.

任何覆盖范围大且具有易受攻击性的程序对初学者来说都是一个良好的起点。资产范围越大，你能够察看的目标应用程序和网页就越多。当一个程序覆盖范围较广时，你通常可以找到其他黑客忽略的不常见的应用程序。这意味着在报告漏洞时会有更少的竞争。

The larger the vulnerability scope, the more types of bugs the organization is willing to hear reports about. These programs are a lot easier to find bugs in, because you have more opportunities, and so can play to your strengths.

随着风险范围的扩大，组织愿意接受关于更多类型的漏洞报告。这些程序更容易发现漏洞，因为您有更多机会，可以发挥自己的优势。

Payout Amounts

The next metric you should consider is the program’s payout amounts . There are two types of payment programs: vulnerability disclosure programs (VDPs) and bug bounty programs .

你需要考虑的下一个指标是该计划的支付金额。有两种支付方案：漏洞披露计划（VDP）和漏洞赏金计划。

VDPs are reputation-only programs , meaning they do not pay for findings but often offer rewards such as reputation points and swag. They are a great way to learn about hacking if making money is not your primary objective. Since they don’t pay, they’re less competitive, and so easier to find bugs in. You can use them to practice finding common vulnerabilities and communicating with security engineers.

VDP 是仅限声誉的计划，意味着它们不支付发现费用，但通常提供声誉点和赠品等奖励。如果赚钱不是您的主要目标，它们是学习黑客的绝佳方式。由于它们不支付，竞争性更弱，因此更容易发现漏洞。您可以使用它们来练习查找常见的漏洞并与安全工程师沟通。

On the other hand, bug bounty programs offer varying amounts of monetary rewards for your findings. In general, the more severe the vulnerability, the more the report will pay. But different programs have different payout averages for each level of severity. You can find a program’s payout information on its bug bounty pages, usually listed in a section called the payout table. Typically, low-impact issues will pay anywhere from $50 to $500 (USD), while critical issues can pay upward of $10,000. However, the bug bounty industry is evolving, and payout amounts are increasing for high-impact bugs. For example, Apple now rewards up to $1 million for the most severe vulnerabilities.

另一方面，漏洞赏金计划为您发现的漏洞提供不同金额的奖励。一般来说，漏洞越严重，报告所得的酬金就越高。但不同的计划对于不同严重程度的漏洞，有着不同的平均赔付标准。您可以在漏洞赏金页面上找到计划的赔付信息，通常是在一个称为赔付表的部分中列出。通常来说，低影响的问题可以获得 50 到 500 美元（美元）的奖励，而严重的问题可以获得超过 10,000 美元的奖励。然而，漏洞赏金行业正在发展，对于高影响漏洞的奖励金额也越来越高。例如，苹果现在可以为最严重的漏洞奖励高达 100 万美元。

Response Time

Finally, consider the program’s average response time . Some companies will handle and resolve your reports within a few days, while others take weeks or even months to finalize their fixes. Delays often happen because of the security team’s internal constraints, like a lack of personnel to handle reports, a delay in issuing security patches, and a lack of funds to timely reward researchers. Sometimes, delays happen because researchers have sent bad reports without clear reproduction steps.

最后，请考虑该程序的平均响应时间。有些公司可以在几天内处理和解决您的报告，而另一些公司可能需要数周甚至数月才能完成修复。延迟通常是由于安全团队的内部限制引起的，比如缺乏处理报告的人员、发布安全补丁的延迟以及缺乏及时奖励研究人员的资金。有时，延迟是因为研究人员发送了没有明确重现步骤的错误报告。

Prioritize programs with fast response times. Waiting for responses from companies can be a frustrating experience, and when you first start, you’re going to make a lot of mistakes. You might misjudge the severity of a bug, write an unclear explanation, or make technical mistakes in the report. Rapid feedback from security teams will help you improve, and turn you into a competent hacker faster.

优先给速度响应快的项目排序。等待公司的回应可能会让你感到沮丧，特别是在你刚开始的时候，你会犯很多错误。你可能会错判一个漏洞的严重程度、写得不清楚或在报告中犯技术错误。安全团队的快速反馈将帮助你提高，并更快地成为一名合格的黑客。