-c.png)
How it Works
Meet Com Olho all-in-one solution
for Cyber Security Officers
A one-stop platform to find, fix and reward bug hunters.
Create Programs
Monitor
Submissions
Fix & Reward
in Real Time
By harnessing the collective expertise of global cyber sleuths, we're turning challenges into opportunities, transforming bugs into bounties, and making the web safer, one discovery at a time. Every coder, hacker, and cybersecurity enthusiast finds more than just vulnerabilities here; they find a community, a challenge, and a reward for their unparalleled skills.
Validation & Reporting
-
Submission Review: The security team reviews each submitted vulnerability for validity, impact, and exploitability.
-
Validation: The team tries to reproduce the vulnerability using the provided PoC or steps. If successful, the vulnerability is considered validated.
-
Severity Assessment: Assign a severity level to the vulnerability (e.g., Critical, High, Medium, Low) based on its potential impact.
-
Reward Determination: Rewards are determined based on the severity, quality of the report, and potential risk. Higher rewards are often given for more severe vulnerabilities.
-
Communication: Notify the researcher of the validation result and the reward amount. Some programs may involve negotiation with the researcher regarding the reward.
Resolution
-
Fix and Mitigation: The development or security team works on fixing the validated vulnerabilities promptly to enhance security.
-
Communication: Maintain open communication with the researcher throughout the resolution process, providing updates on the progress.
-
Verification: After fixing the vulnerability, the researcher may be asked to verify whether the issue has been successfully resolved.
-
Acknowledgment and Reward: Publicly acknowledge the researcher's contribution, often by adding their name to a Hall of Fame or acknowledgment page. Provide the agreed-upon reward, either monetary or non-monetary.
Define a Scope
-
Identify Scope: Define the specific applications, websites, platforms, or systems that are within the scope of the bug bounty program. This can include web applications, mobile apps, APIs, hardware devices, and more.
-
List In-Scope Items: Clearly list what is considered in-scope, including URLs, IP ranges, and functionalities that researchers are allowed to test.
-
Define Vulnerabilities: Specify the types of vulnerabilities that are of interest, such as Cross-Site Scripting (XSS), SQL Injection, Remote Code Execution, and more.
-
Set Restrictions: Clearly outline what is out of scope. For example, social engineering attacks, physical attacks, and attacks on third-party applications may be considered out of scope.
Research & Reporting
-
Research Phase: Researchers begin testing the in-scope targets for vulnerabilities based on the defined criteria.
-
Discovery: When a researcher discovers a vulnerability, they document the details, including steps to reproduce, impacted systems, and potential impact.
-
Responsible Disclosure: Researchers submit their findings through the designated channel, often a submission portal provided by the bug bounty platform.
-
Proof of Concept (PoC): Researchers might include a PoC to demonstrate the exploitability of the vulnerability.
