# Rewards Model ## Overview At Bypassec, we reward security researchers fairly and proportionally, reflecting the severity of the vulnerabilities found. Our model is designed to ensure that all efforts are properly recognized and incentivized. ### Vulnerability Validation At the end of the tournament, all vulnerabilities will be manually validated by the Bypassec team before their statuses are updated. Incomplete reports or those that do not contain a clear description and reproduction steps will be automatically invalidated and will not be eligible for a reward. Similarly, vulnerabilities that do not demonstrate a relevant impact on the organization will be considered invalid. {% hint style="warning" %} During the validation process, Bypassec may contact the researcher via email or Discord if the report requires additional information. The researcher will have **48 hours** to respond before the vulnerability is invalidated. {% endhint %} ## Severity Classification The severity levels used to classify vulnerabilities are as follows: * **Informativa** * **Baixa** * **Média** * **Alta** * **Crítica** Bypassec uses the [CVSS Score 3.1](https://www.first.org/cvss/calculator/3.1) as a reference to classify the severity of vulnerabilities. However, it is important to emphasize that severity may vary based on the impact of the vulnerability, its relevance to the organization, and the ease of exploitation. {% hint style="info" %} In the event of conflicts between the classification model and the specific competition policy, the competition policy will prevail. {% endhint %} ## Reward Pool Distribution Each competition on Bypassec has a reward fund that will be distributed based on the severity of the reported vulnerabilities. Below are the details of the distribution: ### **Low** Severity If only low-severity vulnerabilities are reported: | Severity | Pool Percent | | -------- | ------------ | | Low | 20% | ### **Medium** Severity If medium-severity vulnerabilities are reported: | Severity | Pool Percent | | --------- | ------------ | | Low | 15% | | Medium | 35% | | **Total** | **50%** | ### **High** and **Critical** Severity If high- or critical-severity vulnerabilities are reported: #### Without Critical Reports | Severity | Pool Percent | | --------- | ------------ | | Low | 10% | | Medium | 30% | | High | 60% | | **Total** | **100%** | #### With Critical Reports | Severity | Pool Percent | | --------- | ------------ | | Low | 5% | | Medium | 20% | | High | 30% | | Critical | 45% | | **Total** | **100%** | ### Special Cases {% hint style="info" %} If a specific severity level in the table is not reported, its percentage of the fund will be distributed equally among all higher severity levels. {% endhint %} ## Duplicate Vulnerabilities At Bypassec, duplicate vulnerabilities are also rewarded. If a vulnerability is duplicated, the reward for that specific flaw will be divided among all researchers who reported it. For example, let’s imagine that four reports were submitted: **A**, **B, C** and **D:** * Report **A** is a unique vulnerability * Reports **B**, **C**, and **D** are the same vulnerability In this case, the three identical reports will split the prize allocated for that vulnerability. The distribution would be as follows: | Report ID | Reward | | --------- | ---------------------------------------------- | | A | $ **X** | | B | $ **X / 3** | | C | $ **X / 3** | | D | $ **X / 3** | This reward model ensures that all researchers who contribute to the security of the application are recognized, even when reporting duplicate vulnerabilities. ## Points For every valid vulnerability reported, the researcher will receive points. This score will be used to determine the researcher's position in the Bypassec global ranking and define their performance. ### Points Distribution Points are distributed based on the severity and uniqueness of the vulnerability found. | Severity | Unique | Duplicate | | ----------------------------------------------- | ------ | --------- | | **Low** | 10 | 5 | | **Medium** | 20 | 10 | | **High** | 30 | 15 | | **Critical** | 40 | 20 | ### Why earn points? Scores are the metrics used by Bypassec to identify the top researchers on the platform. These researchers will have the opportunity to receive exclusive advantages and rewards, such as: * Invites to private competitions * Job interview opportunities * Bypassec merchandise and swag * Reward bonuses * Discounts on mentorships and courses from Bypassec partners {% hint style="info" %} These advantages will be defined and distributed spontaneously at specific periods determined by Bypassec, serving as an incentive for researchers. None of the items described above constitutes a guarantee or should be viewed as a mandatory obligation to be provided by Bypassec. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.bypassec.com/the-platform/rewards-model.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.