arrow_backBack to product
Guides3 guides

Get up and running fast

Everything you need to know — all in one place.

How Bug Bounty Reports Work

Understand the full lifecycle of a FireFighter report from submission to payout.

1

Find a vulnerability

Security research can be conducted on any publicly accessible Fireball surface — the website, API, FireStation, and open-source repositories are all in scope. Out-of-scope systems are listed in the program brief.

2

Submit your report

Use the structured submission form to describe the vulnerability, reproduction steps, impact assessment, and suggested fix. Attach screenshots, HTTP captures, or proof-of-concept code as appropriate.

3

Triage and validation

The Fireball security team acknowledges reports within 48 hours. Validation typically takes 5–10 business days depending on complexity. You will receive status updates throughout the process.

4

Payout

Valid reports receive a cash reward within 30 days of validation. Payout amounts are published in the reward table and scale with CVSS severity score. Critical vulnerabilities earn the highest tier.

Writing a Strong Vulnerability Report

Best practices for reports that get validated quickly and earn higher rewards.

1

Lead with impact

Start your report with a one-paragraph executive summary explaining the real-world impact: what an attacker could do, which users are affected, and how severe the consequence is.

2

Provide reliable reproduction steps

Numbered, deterministic reproduction steps are the single most important factor in fast validation. Include exact HTTP requests (use Burp or curl captures), environment details, and any preconditions.

3

Classify correctly

Use the CVSS 3.1 calculator to self-assess severity. Accurate classification — not inflated — builds trust with the team and is rewarded with faster review turnaround.

4

Suggest a fix

Reports that include a technically sound suggested fix earn a quality bonus. You do not need to provide production-ready code — a clear description of the root cause and mitigation approach is sufficient.

Understanding Reward Tiers

How severity maps to payouts and what qualifies for bonus rewards.

1

Severity classification

Rewards are tiered by CVSS score: Informational (no reward), Low ($50–$150), Medium ($150–$500), High ($500–$2,000), Critical ($2,000+). Exact amounts depend on exploitability and scope of impact.

2

Bonus multipliers

Reports that include a working proof of concept, a patch suggestion, or affect a previously unknown attack surface qualify for a bonus multiplier on the base payout.

3

FireCredits

Top-performing FireFighters — those with multiple high or critical reports in a 90-day window — also earn FireCredits usable across the Fireball platform in addition to cash.

4

Disputes

If you disagree with a severity classification, you can request one review per report. The decision of the review panel is final. All dispute outcomes are shared back with the reporter.