This is an old revision of the document!
# Philosophy
## Differences from standard testing Single-sourced: - looking mostly for common-ish vulns - not competing with others - incentivized for count - payment guaranteed and quality check based on approximation
Crowdsourced: - looking for vulns that aren't as easy to find - racing vs. time - competitive vs. others - incentivized to find unique bugs - payment based on impact not number of findings
## Tips / Notes:
- 1st party bug bounties = Google Paypal, etc - 2nd party bug bounties = Bugcrowd, H1, Synack, etc
Because competition is introduced; when working in a bug bounty it is essential to have templates set up for your “most found” classes of vulnerabilities. Obviously custom vulnerabilities will always be custom writeups, but having a template for ones that come up often is essential. Protip: always remember to change the URLS and domains in the templates. Nothing will get a bug invalidated faster than stating the wrong domain or URLs in a report.
When designing these templates there are two really great resources to read:
- https://blog.bugcrowd.com/advice-for-writing-a-great-vulnerability-report/ - https://forum.bugcrowd.com/t/writing-a-bug-report-attack-scenario-and-impact-are-key/640