Frequently Asked Question

Bug Bounty Program is a company's initiative that appreciates the findings of security holes from ethical hackers, also called Bughunters in an application / system / service.

Each organization / company can give an appreciation (reward) given. Appreciation can be in the form of money, or custom rewards such as certificates, leaderboards, T-shirts, and others.

The company will verify reports of vulnerabilities found. If the report is valid, then Bughunter is entitled to a reward according to the level of security holes found.

In general, vulnerability levels can be divided into 4, there are Low, Medium, High, and Critival. Each of these levels has different rewards. The amount of reward is determined by the company that owns the program.

Leaderboard is a list of the top Bughunters who meet certain qualifications / points. This list is determined by the number of points earned when participating in various Bug Bounty Programs.

Yes! Every Bug Bounty Program has points whose amount is determined by the level.

Bughunter can register for free and must verify data before joining a Bug Bounty Program. For companies that want to create a Bug Bounty Program, they must register (there are free and paid options) as a company by including their company email address and some of the requirements in the company registration form.

Bughunter is ONLY for Indonesians who can reside in any country and can show the appropriate personal data when verifying data.

1. Verify your email
2. Make sure your mobile number is verified using OTP
3. Upload 2 identities (ID Card, Passport, and Driver’s License) with your face selfie

There is no standard reference for reports of vulnerabilities. Things that must be at least reported are Bughunter Name, Time Found, Security Gap Name, Proof of Concept, Risk and Impact, Recommendations. Reports written in Indonesian.

When receiving a report, the Cyber Army Team will verify and validate the report. If valid, a report will be given to the Company to assess the level of risk. Furthermore, a reward will be given according to the level of risk.

We store reports on an encrypted server and are assigned a unique code for each report.

Publishing the findings of a vulnerability is not allowed, before the vulnerability is closed and the status of the report becomes Closed.

No, you may not. The vulnerability report can only be read by the Cyber Army Team, the related companies and the bughunter who discovered it.