TL;DR: Starting November 1, 2023, the reward for each time a submitted module is found in customers’ assets (pay-per-hit) will be doubled for critical, high, and medium severity modules, while fixed payouts will be phased out.
Detectify Crowdsource was launched in 2018 to democratize security research coming from ethical hackers, commonly bound to bug bounty programs that yielded one-time rewards. Our unique approach pioneered the automation of crowdsourced security research, and we’ve created a profitable reward system where submitters are paid for the impact of their vulnerabilities in our customer’s assets.
Since launching our program, we have issued over USD 500,000 in rewards to our private community of ethical hackers.
On accepted submissions, Crowdsource community members would previously receive a fixed payout, determined by the severity of the vulnerability submitted, and a payout every time that one vulnerability was found in our customers’ systems (pay-per-hit).
From November 1, 2023, fixed payouts will be phased out and replaced by substantial enhancements to the pay-per-hit.
Maximizing benefits for both ethical hackers and customers
We’re introducing an update to promote higher-quality modules, quicker implementation, and to ensure fair and continuous rewards for our ethical hackers:
- Pay-per-hit is our most distinctive attribute. It allows hackers to receive a passive income for each unique hit produced in the Detectify customer base. We’re now taking pay-per-hit to new heights by amplifying rewards that maximize passive income opportunities.
- We’re incentivizing submissions that can effectively safeguard our customers’ assets/technologies and will enable our team to streamline module triage and building. We anticipate this will mean faster processing times for submitted modules.
The new reward system
- We are substantially increasing the pay-per-hit:
- x2 the current amount paid per hit for critical, high, and medium severity submissions.
(Now, USD 200, USD 100, and USD 40, respectively)
- x2 the current amount paid per hit for critical, high, and medium severity submissions.
- We’re phasing out fixed payouts for all submissions.
- We’re boosting the 0-day bonus:
- x3 the current amount for critical severity 0-day bonus.
(Now, USD 300) - x2 the current amount for high severity 0-day bonus.
(Now, USD 200)
- x3 the current amount for critical severity 0-day bonus.
For example, with the new reward system, if you submit a critical severity module that obtains 100 unique hits, you will receive 20,000 USD (100 payouts of 200 USD).
Combining human ingenuity and automation
Detectify Crowdsource consists of 400+ world-class ethical hackers that have generated over 250 million vulnerability findings across the attack surfaces of our 2000+ customers. This monumental achievement from our community is fueled by their submissions, knowledge, and dedication to making the Internet a safer place. No wonder we are proud of them!
Interested in joining our community?
Wondering how you can join our community of leading ethical hackers? Try out our signup challenge to see if you have the experience needed to join Detectify Crowdsource here.
Q&A
Will I get the new reward for modules submitted before November 1?
The new payouts will only apply to those modules submitted from November 1, 2023.
How can I make sure I’m spending time researching technologies that will generate hits?
In the Detectify CS platform, you can access the list of technologies and versions that have been fingerprinted in Detectify’s customers’ assets in the last 3 months. We’ve identified these technologies as being used by our customers to build their products. You can use this list as inspiration for what types of technologies are most commonly used by Detectify’s customers and make the submission more successful.
What is a payout/pay-per-hit?
Every time your submitted vulnerabilities are found in a unique customer application through the Detectify service, you will receive a payout-per-hit. The amount varies depending on the severity of your module.
What is a point per hit?
Along with the payout-per-hit, you also receive points each time your submitted vulnerability is found in a unique customer asset. These points can help you climb our leaderboard. We offer awards for the users at the top of our leaderboard.
What is a 0-day bonus?
If you submit a critical or high severity 0-day vulnerability, you will receive a 0-day bonus, along with regular payouts for the module. You will receive the 0-day bonus once the module has gone live. Remember to mark your submission as a 0-day in the submission form, and then we will validate the vulnerability and start the 0-day process.
Here is an example:
- You submit a critical severity 0-day vulnerability.
- Once the module goes live, you receive the critical 0-day bonus payout of $300.
- The module gets 10 hits, so you receive a payout per hit of $200 x 10 hits = $2000.
- In total, for this module, you earned $2300.
- Plus, as time goes on, you can receive more hits and keep the $$ coming!
- You also receive points per hit, which equals 5000 points (500 points x 10 hits).