A quick update on our ranking point system.

We have recently been questioned on how our ranking point system works and how report quality is evaluated.

Our system has evolved quite a lot since inception, and some new report quality rating features have been added.

1- Triaging

The first step of a bug report life cycle is being ( hopefully ) accepted as valid by the program owner, otherwise it is classified as invalid and receives an additional qualification that eventually can lead to a negative rating, as illustrated below:

Note that a valid report can be triaged again as ” Informative ” or ” Won’t Fix ” after validation and before being accepted.

2- Accepted stage

Now that your shiny report has been accepted by the program owner, congratulations, you are now eligible for a reward.
But how are your ranking points calculated exactly?

a – Bounty

Depending on the bounty your report matches, you will be rewarded with ranking points:
– 15 POINTS for every bounty inferior to 500€
– 25 POINTS for every bounty from 500€, to 2000€
– 50 POINTS for every bounty superior to 2000€

b – Quality rating

The program owner can also reward the quality of your report and attribute 1 to 5 additional ranking points.

c – CVSS scoring bonus

Again, the program owner can give you 1 additional point if your report CVSS scoring falls right.

As summed-up in this chart: