We have recently been questioned on how our ranking point system works and how report quality is evaluated.
Our system has evolved quite a lot since inception, and some new report quality rating features have been added.
The first step of a bug report life cycle is being ( hopefully ) accepted as valid by the program owner, otherwise it is classified as invalid and receives an additional qualification that eventually can lead to a negative rating, as illustrated below:
Note that a valid report can be triaged again as ” Informative ” or ” Won’t Fix ” after validation and before being accepted.
Now that your shiny report has been accepted by the program owner, congratulations, you are now eligible for a reward.
But how are your ranking points calculated exactly?
a – Bounty
Depending on the bounty your report matches, you will be rewarded with ranking points:
– 15 POINTS for every bounty inferior to 500€
– 25 POINTS for every bounty from 500€, to 2000€
– 50 POINTS for every bounty superior to 2000€
b – Quality rating
The program owner can also reward the quality of your report and attribute 1 to 5 additional ranking points.
c – CVSS scoring bonus
Again, the program owner can give you 1 additional point if your report CVSS scoring falls right.
As summed-up in this chart:
You get 7 additional points for a resolved bug, a big thank you.
The big picture.
Finally we’ve stitched it all inside a single graph for your convenience.
Is our ranking system clearer?
You can refer to our leader-board to discover the hunters top 100