Question

Companies can host bug bounty programs in two ways: bug bounty platforms and independently hosted websites.

公司可以通过两种方式托管漏洞悬赏计划：漏洞悬赏平台和独立托管的网站。

Bug bounty platforms are websites through which many companies host their programs. Usually, the platform directly awards hackers with reputation points and money for their results. Some of the largest bug bounty platforms are HackerOne, Bugcrowd, Intigriti, Synack, and Cobalt.

漏洞赏金平台是许多公司托管其项目的网站。通常，该平台直接授予黑客声誉积分和金钱作为奖励。一些最大的漏洞赏金平台是 HackerOne，Bugcrowd，Intigriti，Synack 和 Cobalt。

Bug bounty platforms are an intermediary between hackers and security teams. They provide companies with logistical assistance for tasks like payment and communication. They also often offer help managing the incoming reports by filtering, deduplicating, and triaging bug reports for companies. Finally, these platforms provide a way for companies to gauge a hacker’s skill level via hacker statistics and reputation. This allows companies that do not wish to be inundated with low-quality reports to invite experienced hackers to their private programs. Some of these platforms also screen or interview hackers before allowing them to hack on programs.

漏洞赏金平台是黑客和安全团队之间的中介机构。他们提供物流协助，如支付和通信等任务的公司。他们还经常提供帮助，通过过滤、去重和筛选漏洞报告来管理来自公司的报告。最后，这些平台通过黑客统计和声誉提供一种公司评估黑客技能水平的方法。这使得那些不希望被低质量报告淹没的公司可以邀请经验丰富的黑客参加他们的私人计划。其中一些平台还会在允许他们攻击计划之前对黑客进行筛选或面试。

From the hacker’s perspective, bug bounty platforms provide a centralized place to submit reports. They also offer a seamless way to get recognized and paid for your findings.

从黑客的角度来看，漏洞赏金平台提供了一个集中的地方来提交报告。它们还提供了一种轻松的方式来获得对您的发现的认可和报酬。

On the other hand, many organizations host and manage their bug bounty programs without the help of platforms. Companies like Google, Facebook, Apple, and Medium do this. You can find their bug bounty policy pages by visiting their websites, or by searching “ CompanyName bug bounty program” online.

另一方面，许多组织在没有平台的帮助下托管和管理他们的漏洞悬赏程序。像谷歌、Facebook、苹果和 Medium 这样的公司就是这样做的。您可以通过访问他们的网站或在网上搜索“CompanyName 漏洞悬赏计划”来找到他们的漏洞悬赏政策页面。

As a bug bounty hunter, should you hack on a bug bounty platform? Or should you go for companies’ independently hosted programs?

作为一名悬赏赏金猎人，你应该在 Bug 悬赏平台上进行攻击吗？还是应该去攻击公司独立托管的程序？

The Pros . . .

The best thing about bug bounty platforms is that they provide a lot of transparency into a company’s process, because they post disclosed reports, metrics about the programs’ triage rates, payout amounts, and response times. Independently hosted programs often lack this type of transparency. In the bug bounty world, triage refers to the confirmation of vulnerability.

漏洞赏金平台的最大优点在于它们为公司的流程提供了很多透明度，因为它们发布了已披露的报告，关于程序分类率、支付金额和响应时间的指标。独立托管的程序通常缺乏这种透明度。在漏洞赏金世界中，分类是指漏洞确认的过程。

You also won’t have to worry about the logistics of emailing security teams, following up on reports, and providing payment and tax info every time you submit a vulnerability report. Bug bounty programs also often have reputation systems that allow you to showcase your experience so you can gain access to invite-only bug bounty programs.

你也不必担心电邮安全团队的物流问题、跟进报告、每次提交漏洞报告时提供付款和税收信息。漏洞赏金计划通常还有声誉系统，让你展示经验，因此可以获得邀请制的漏洞赏金计划的入场资格。

Another pro of bug bounty platforms is that they often step in to provide conflict resolution and legal protection as a third party. If you submit a report to a non-platform program, you have no recourse in the final bounty decision. Ultimately, you can’t always expect companies to pay up or resolve reports in the current state of the industry, but the hacker-to-hacker feedback system that platforms provide is helpful.

Bug 赏金平台的另一个优点是它们通常作为第三方介入，提供冲突解决和法律保护。如果您向非平台计划提交报告，则在最终赏金决定中没有追索权。最终，您并不能总是期望公司支付或解决报告在当前行业状态下的问题，但平台提供的黑客反馈系统是有帮助的。

. . . and the Cons

However, some hackers avoid bug bounty platforms because they dislike how those platforms deal with reports. Reports submitted to platform-managed bug bounty programs often get handled by triagers , third-party employees who often aren’t familiar with all the security details about a company’s product. Complaints about triagers handling reports improperly are common.

然而，一些黑客避开漏洞赏金平台，因为他们不喜欢这些平台处理报告的方式。提交给平台管理的漏洞赏金计划的报告通常由筛选员处理，这些第三方员工通常不熟悉公司产品的所有安全细节。有关筛选员不当处理报告的投诉很普遍。

Programs on platforms also break the direct connection between hackers and developers. With a direct program, you often get to discuss the vulnerability with a company’s security engineers, making for a great learning experience.

平台上的程序也会破坏黑客和开发人员之间的直接联系。对于直接的程序，您经常可以与公司的安全工程师讨论漏洞，从而获得很好的学习经验。

Finally, public programs on bug bounty platforms are often crowded, because the platform gives them extra exposure. On the other hand, many privately hosted programs don’t get as much attention from hackers and are thus less competitive. And for the many companies that do not contract with bug bounty platforms, you have no choice but to go off platforms if you want to participate in their programs.

“最后，漏洞赏金平台上的公开计划通常很拥挤，因为平台为它们提供了额外的曝光率。另一方面，许多私人托管的计划得不到来自黑客的太多关注，因此竞争较少。对于许多不与漏洞赏金平台签约的公司，如果您想参加他们的计划，您别无选择，只能离开平台。”