Payment processes¶

The first month of the bug bounty programme paid out €4,200 across twelve valid findings. Adora Belle reviewed the spend at the quarterly security budget meeting and increased the annual line item: the findings were worth more to fix early than they would have been to discover after a breach. Payment is the mechanism by which the programme attracts and retains good researchers, so the process needs to be fast, predictable, and unambiguous. Reward amounts follow published tiers, the approval chain is clear, and the timeline is specific. This runbook covers the reward tiers, the authorisation flow, HackerOne and Intigriti payment mechanics, tax considerations, the payment timeline, and budget management.

Reward tiers¶

The published reward tiers are:

Critical:  €5,000 - €15,000
High:      €1,000 - €5,000
Medium:    €500 - €1,000
Low:       €100 - €500

All valid findings also receive Golem Trust swag (a package mailed to the researcher’s address on request, containing branded items that do not identify specific clients or operations).

The published tiers are ranges, not fixed amounts. The final amount within the tier is determined by three factors: impact (how severe is the actual exploitation risk given Golem Trust’s specific context), exploitability (how easy is the attack, does it require preconditions, is it realistic), and report quality (clear reproduction steps, proposed remediation, clean communication that reduced triage effort).

A Critical finding at the top of the range (€15,000) requires all three: maximum impact, trivially exploitable, and an excellent report. A Critical finding at the bottom of the range (€5,000) might be technically Critical but require significant preconditions or represent a finding where the report required considerable triage effort.

Authorisation flow¶

Reward amounts within the Low and Medium tiers are authorised by Angua. No further approval is needed.

Reward amounts in the High tier (above €1,000) require Carrot’s approval. Angua proposes the specific amount with a brief justification in the #bugbounty-payments private Slack channel. Carrot approves or adjusts within one business day.

Reward amounts in the Critical tier require Adora Belle’s approval. Angua proposes the amount with a detailed justification. Adora Belle approves within two business days. For Critical findings with complex impact assessments, Angua schedules a brief call with Adora Belle rather than communicating solely via Slack.

Approvals are recorded in the #bugbounty-payments Slack channel log, which is retained indefinitely for audit purposes. The approved amount and the approver’s name are recorded in the DefectDojo finding before the reward is offered to the researcher.

Payment mechanics¶

HackerOne and Intigriti handle payment processing. Golem Trust does not transfer funds directly to researchers. Instead:

For HackerOne: after approval, mark the report as eligible for reward in the HackerOne platform and enter the reward amount. HackerOne handles the transfer to the researcher’s connected payment method.

For Intigriti: after approval, submit the reward request through the Intigriti programme management interface. Intigriti processes the payment to the researcher.

Both platforms require the researcher to have accepted the programme terms before a reward can be processed. A researcher who has not yet accepted the terms will receive a prompt from the platform. Angua does not need to follow up on this; the platform handles it.

Both platforms issue receipts and handle the accounting relationship with the researcher. Golem Trust’s finance team receives invoices from HackerOne and Intigriti on a monthly basis, consolidated across all rewards processed that month.

Tax considerations¶

Researchers are responsible for their own tax obligations in their jurisdiction. Golem Trust does not provide tax advice to researchers. This is stated explicitly in the programme terms on both platforms.

Golem Trust issues receipts for all rewards via the platform. These receipts are generated by HackerOne and Intigriti, not by Golem Trust directly. If a researcher requests additional documentation for their tax return, they should be directed to the platform’s support function.

The finance team maintains records of all reward payments for Golem Trust’s own tax reporting purposes, via the monthly invoices from the platforms.

Payment timeline¶

The reward offer is made within 7 days of fix verification. The researcher’s acceptance triggers the platform payment process. Payment is processed within 14 days of the reward offer being accepted.

The authorisation process (Angua to Carrot to Adora Belle where needed) should complete before the “fix confirmed and closing” communication is sent to the researcher, so that the reward amount can be included in that message. Do not send the closing communication and then begin the approval process; begin the approval process as soon as the researcher confirms the fix is good.

If the approval chain takes longer than expected and the researcher has already received the closing message without a reward amount, Angua should follow up with the reward offer as soon as approval is obtained, with an apology for the delay.

Budget management¶

The annual bug bounty budget is a named line item in the security budget. The initial amount was set based on comparable programmes and Adora Belle’s estimate of likely finding volume and severity distribution. After the first month’s results, the budget was increased at the quarterly review.

Angua maintains a running spend tracker in a shared spreadsheet accessible to Carrot and Adora Belle. The tracker records: finding ID, severity, reward proposed, reward approved, reward paid, date paid, and cumulative spend against the annual budget.

The budget is reviewed quarterly. Inputs to the review are: cumulative spend versus budget, number and severity distribution of findings, comparison against industry benchmarks for programme cost per valid finding, and any strategic changes to scope that would affect finding volume.

If spend is tracking to exceed the annual budget, Adora Belle is notified before the budget is reached, not after. The appropriate response may be a budget increase, a temporary reduction in reward tiers, a scope reduction, or a combination. The programme should never reach a state where a researcher submits a valid Critical finding and the budget does not have capacity to pay the appropriate reward.

The programme’s return on investment is assessed annually in terms of findings discovered versus the estimated cost of those vulnerabilities being exploited. The first full year’s assessment is scheduled for Adora Belle’s review in the Q1 planning cycle.