We’ve published a blog post that goes into detail about the way Bugcrowd prioritizes vulnerability submissions. Make sure to read this as it’s a great way to get an understanding of which bugs will pay out the most and increase your likelihood of acceptance.
The only way for a security team to effectively manage risk is vulnerability prioritization and management. There are many different prioritization models used across the industry that are based on vulnerability risk and impact. Without a clear prioritization model, how do you know what to fix first? Highest CVSS Score? FIFO? LIFO? Externally known issues? Whatever your prioritization plan is, it needs to be documented and updated as threats to your business change.
At Bugcrowd, all valid bugs are assigned a priority rating based on the severity of the security impact – higher severity issues that are rated as Critical such as SQLi resulting in remote code execution receive higher rewards than low severity issues. Note that this is our prioritization framework for web application vulnerabilities in managed programs, and may be modified by individual customers based on their business priorities and risk tolerance. Host Infrastructure, Mobile OS or Apps, IoT, and desktop application bounty programs are adjusted appropriately.