Hackrate Bug Bounty Platform
After you registered and verified your e-mail address, the time has arrived to introduce yourself. In the Profile settings, you can make the following changes:
- Upload a profile picture
- Add your location
- Write a short introduction
- Change password
You can view your performance metrics, including the status of your score, hacker power, and hacker rate. Here is a short introduction of the key metrics:
- Score: Score will increase by submitting valid reports. The points of the reports are based on severity.
- Hacker Power: Hacker Power is calculated based on the criticality of the reported vulnerabilities.
- Hacker Rate: Hacker Rate is calculated based on the validity of your reports.
In profile settings, you can disable your account, but be careful with this function. It is permanent.
If you have submitted a valid report in a bug bounty program, you can set up and add different payout methods for how you'd like to receive your payments.
Before you start testing, you must apply for a program. With this function, you will be able to submit reports in the program. This function replaces the bookmark function, and it helps you manage the programs where you are testing by adding the program to your program list.
Go to a program page, click the Submit a report button. The report must contain the target, the vulnerability title, the vulnerability category, and the severity.
You must specify validation steps and attach a Proof-of-Concept (for example, a video or screenshots), which may help understand and reproduce the vulnerability.
You only can submit a report in an active bug bounty program. The programs are in the following statuses:
- New (Active)
- Paused (Not active)
- Running (Active)
- Archived (Not active)
- Canceled (Not active)
There are bug bounty programs where HACKRATE helps the client's security team by pre-validating the reports. These programs are marked with the "HACKRATE managed" tag.
Each submitted bug bounty reports start in the "New" phase of its lifecycle. Here are all possible states of reports:
- New: When your report has been submitted, it starts in the "New" phase.
- Needs more info: It means that the Report Validation team needs additional details for the validation of your report.
- Informative: It means that your report was useful, but there is no need to fix it.
- Duplicate: It means that the reported vulnerability has already been reported by someone else before your report.
- Accepted: It means that the Report Validation team approved your report.
- Not accepted (out of scope): It means that the report was valid, but the asset or the issue is not in the program's focus.
- Not accepted (invalid): It means that the report was not valid or didn't have a proven security impact.
- Not accepted (spam): It means that the report doesn't contain any useful information for the company.
- Resolved: It means that the report has been fixed.
There are two types of credentials that can be used for testing purposes.
Your letmehack.it e-mail alias will forward all mails to your registered e-mail address at HACKRATE. How does it look like? Example: if your username is abcd, then your e-mail alias will be firstname.lastname@example.org.
In some programs, there are credentials provided by the Program Sponsor. Once you requested the credentials, we will send them to you. Sometimes it takes 1-3 days.
With the "Apply for this program" function, you also bookmark the program. It helps you manage the programs you are testing, and it automatically adds the program to your program list (My programs). You will be notified when the program owner adds new scope, increase rewards, or remove restrictions.
You can view and manage the program invitations in My programs. If you accept the invitation to participate in a private program, you will be able to submit bugs in that program.
You also can unsubscribe to a program if you don't want to submit further reports in that program.
In some cases, bug bounty programs are only accessible for ID verified Bounty Hunters. You can apply for the ID verification in your Profile settings, and the whole verification process can be done in less than five minutes.