Learn bug bounty vocabulary: scope, safe harbor, proof of concept, duplicate reports, reward triage, and platform-specific language for HackerOne and Bugcrowd.
0 / 5 completed
1 / 5
What is 'scope' in a bug bounty program?
Scope defines what you are allowed to test. In-scope typically includes: specific domains (e.g., *.example.com), APIs, mobile apps. Out-of-scope might include: third-party integrations, customer subdomains, production data. Testing out-of-scope targets can void safe harbor protections — always check the scope section of the program policy before testing.
2 / 5
What is 'safe harbor' in a bug bounty program policy?
Safe harbor is the legal guarantee: 'If you follow our responsible disclosure policy, we will not pursue criminal or civil action against you for your research.' Without safe harbor, security researchers face legal risk under laws like the CFAA (Computer Fraud and Abuse Act). Researchers should verify a program has explicit safe harbor language before testing — 'we appreciate responsible disclosure' is not safe harbor.
3 / 5
What does it mean when a bug bounty report is marked as a 'duplicate'?
Duplicate means: 'We already have this issue in our queue from another researcher.' The first valid report gets the bounty; subsequent reports of the same issue receive no reward. To reduce duplicate risk: check the program's Hall of Fame for recently credited researchers; if similar issues have been reported, note the differentiation in your report. Some programs pay reduced rewards for informational duplicates that add new context.
4 / 5
What is 'reward triage' in the context of a bug bounty program?
Triage is the first stage of report review: is this a valid vulnerability? Is it in scope? What is the severity? Triage state vocabulary: 'New' (submitted), 'Triaging' (under review), 'Triaged' (validated, severity assigned), 'Duplicate', 'Informative' (not a security issue), 'N/A' (not applicable/out of scope). After triage, the report moves to 'Resolved' once patched and the reward is awarded.
5 / 5
What phrase indicates a bounty award in bug bounty platform communication?
'You've been awarded $X for this finding' is the standard bounty payment notification. Note the distinction: a report can be 'resolved' (fixed) without a bounty if it was out-of-scope, informative, or a duplicate. Bounty award and fix are separate events — some programs award on triage; others award on fix. The award message typically includes the severity rating and the reward amount.