💸Rewards Model
Overview
At Bypassec, we reward security researchers fairly and proportionally, reflecting the severity of the vulnerabilities found. Our model is designed to ensure that all efforts are properly recognized and incentivized.
Vulnerability Validation
At the end of the tournament, all vulnerabilities will be manually validated by the Bypassec team before their statuses are updated.
Incomplete reports or those that do not contain a clear description and reproduction steps will be automatically invalidated and will not be eligible for a reward. Similarly, vulnerabilities that do not demonstrate a relevant impact on the organization will be considered invalid.
During the validation process, Bypassec may contact the researcher via email or Discord if the report requires additional information. The researcher will have 48 hours to respond before the vulnerability is invalidated.
Severity Classification
The severity levels used to classify vulnerabilities are as follows:
Informativa
Baixa
Média
Alta
Crítica
Bypassec uses the CVSS Score 3.1 as a reference to classify the severity of vulnerabilities.
However, it is important to emphasize that severity may vary based on the impact of the vulnerability, its relevance to the organization, and the ease of exploitation.
In the event of conflicts between the classification model and the specific competition policy, the competition policy will prevail.
Reward Pool Distribution
Each competition on Bypassec has a reward fund that will be distributed based on the severity of the reported vulnerabilities. Below are the details of the distribution:
Low Severity
If only low-severity vulnerabilities are reported:
Low
20%
Medium Severity
If medium-severity vulnerabilities are reported:
Low
15%
Medium
35%
Total
50%
High and Critical Severity
If high- or critical-severity vulnerabilities are reported:
Without Critical Reports
Low
10%
Medium
30%
High
60%
Total
100%
With Critical Reports
Low
5%
Medium
20%
High
30%
Critical
45%
Total
100%
Special Cases
If a specific severity level in the table is not reported, its percentage of the fund will be distributed equally among all higher severity levels.
Duplicate Vulnerabilities
At Bypassec, duplicate vulnerabilities are also rewarded. If a vulnerability is duplicated, the reward for that specific flaw will be divided among all researchers who reported it.
For example, let’s imagine that four reports were submitted: A, B, C and D:
Report A is a unique vulnerability
Reports B, C, and D are the same vulnerability
In this case, the three identical reports will split the prize allocated for that vulnerability. The distribution would be as follows:
A
$ X
B
$ X / 3
C
$ X / 3
D
$ X / 3
This reward model ensures that all researchers who contribute to the security of the application are recognized, even when reporting duplicate vulnerabilities.
Points
For every valid vulnerability reported, the researcher will receive points. This score will be used to determine the researcher's position in the Bypassec global ranking and define their performance.
Points Distribution
Points are distributed based on the severity and uniqueness of the vulnerability found.
Low
10
5
Medium
20
10
High
30
15
Critical
40
20
Why earn points?
Scores are the metrics used by Bypassec to identify the top researchers on the platform. These researchers will have the opportunity to receive exclusive advantages and rewards, such as:
Invites to private competitions
Job interview opportunities
Bypassec merchandise and swag
Reward bonuses
Discounts on mentorships and courses from Bypassec partners
These advantages will be defined and distributed spontaneously at specific periods determined by Bypassec, serving as an incentive for researchers.
None of the items described above constitutes a guarantee or should be viewed as a mandatory obligation to be provided by Bypassec.
Atualizado