FAQ

What is the registration procedure?

a) First, you must complete the registration form available at https://app.cyscope.io/signup/hacker.

b) Then, you will receive an email with instructions to sign the legal and confidentiality agreement on a specialized digital signature platform.

c) In addition, you must send the certificate of criminal record from your country of residence to [email protected].

d) Once both documents are received, CyScope will start a background check process that may require between five (5) and ten (10) working days. After this process, if you are approved, you will receive a confirmation e-mail and you will be invited to the Bug Bounty public and private programs that best fit your profile.

What kind of programs are available in CyScope?

a) Within our platform Hackers get access to public and private programs: a public program is addressed to the whole CyScope hacker community; a private program is reserved to a group of hackers pre-selected by their profile, experience or other parameters defined by the customer.


b) These programs can be considered in the category of Bug Bounty programs, as well as Pentest-as-a-Service (PTaaS).

What types of vulnerabilities can be rewarded on this platform?

The types of vulnerabilities that can be rewarded vary according to each program and the type of asset to be assessed. Some programs look for specific vulnerabilities, so please read the description of each program carefully.

What level of detail should a vulnerability report include?

a) A vulnerability report should be detailed and of a quality that allows the Triage team and the client to replicate the finding from the beginning to the end. In the “Step-by-step” section of a report you will have the option to upload text, images and/or videos.

 

b) The requirement for a complete report is that the “Step-by-Step” documentation allows the finding to be reproduced without any doubt.

 

c) A good description of the vulnerability and the impact it could have on the business, as well as clear and precise countermeasures so that the affected company can apply the corresponding mitigations.

 

d) Each program may have its own particular requirements, so we recommend reading the description of the programs in detail.

 

e) For further information, please read our disclosure policy: https://cyscope.io/disclosure-policy/

What is the average turnaround time to review and validate submitted reports?

We work with an average turnaround time of ten (10) to fifteen (15) working days to review, reproduce, classify and validate a report. This timeframe includes a quarantine and review period in conjunction with the client.

How are duplicate reports of the same vulnerability handled?

a) Duplicate reports are marked as such, but still generate a score for the hacker. We do not want to discourage hackers from reporting vulnerabilities in CyScope.


b) The process for reviewing duplicate reports is based on looking for the affected targets / URLs / endpoints and their vulnerability. If a match is found, the date on which the vulnerability was originally reported will be notified.


c) There are programs that contain specific policies about duplicate reports, some more strict than others, so we invite you to check these specifications in the description of each program.

a) Reports are reviewed by the Triage team and the client. The information entered will only be viewed by those directly involved.

Therefore, we suggest not to include sensitive information, only data that you are willing to share; for example, if there are suspicions about the origin of accounts used in case the program does not provide credentials, we will ask for clarification of their origin and possibly seek to validate the account.

 

b) When you sign up to the platform, you will be required to sign a legal and confidentiality agreement that aims to protect all parties involved. We invite you to read it in detail during the registration process. In addition, we recommend that you are aware of the basics of cybercrime laws.

 

c) For further information please read our confidentiality agreement https://cyscope.io/confidentiality-agreement/

Can I publicly disclose my findings after reporting them?

a) No, information obtained from reports cannot be publicly disclosed. However, you are welcome to share your participation and reward achievements, taking care to conceal any sensitive information that references the CyScope team, the name of the program or the client.


b) For further information please contact https://cyscope.io/disclosure-policy/

How are rewards defined and what factors are considered?

a) The amount of rewards per level is defined by the client and may vary between programs and clients.

 

b) Rewards are calculated by assessing technical severity and business impact. This is done in collaboration with the customer on a case-by-case basis. We use the CVSS scoring system to define the grids of low, medium, high and critical, but it should not be forgotten that this is accompanied by a joint review with the client, to assess the impact of the vulnerability.

What payment methods are available and what is the process for receiving rewards?

a) If you are a participant with Chilean citizenship and a valid RUT, payment is made by bank transfer, after the generation of a Boleta de Honorarios at the Servicio de Impuestos Internos (SII).

 

b) If you are a participant from another country, the payment method is via PayPal.

 

c) To receive your rewards, it is necessary to keep your profile, bank details, personal ID, tax documentation and affidavit up to date. This will be requested by the administrative area of CyScope.

 

d) Payment of rewards is taxable. Please note that taxes will be deducted from the total amount of the invoice. The percentage of tax applied will depend on the recipient’s country of origin.

 

e) For more information regarding payment methods, please visit the tax and transfer fees section at https://cyscope.io/terms-and-conditions/.

What channels of communication exist, and do they offer any support or guidance?

a) You can send us an email at [email protected]. A member of the team will get back to you as soon as possible.

 

b) For questions and comments regarding a report, the official means of communication is the chat or comments area that we have in each particular report.

 

c) For more specific cases, you may be contacted directly by a member of the CyScope team. The domain of the email address used will be @cyscope.io.

What personal details does the client know about the hackers? Can I participate under a pseudonym?

a) You can participate with a pseudonym/nickname on the platform. We recommend using a nickname as, when dealing with customers, we always refer to users by their nickname. However, for the application and payment of rewards it is necessary to know the real identity of the participant.

 

b) Customers will only be aware of your nickname and data that you have added to the customers. There are instances where the customer may generate special, private programs that ask for personal information, but if invited, we will notify you of the data requested by the customer, so that we are aware of your willingness to share this information.

Is there an internal ranking and how are the scores calculated?

Yes, at CyScope we have an internal ranking to highlight the most active and successful bug hunters. Points are assigned according to the severity of reported vulnerabilities: low, medium, high and critical, as well as considering duplicate reports and other categories. Full details on the score calculation and ranking rules are available in our rules and scores section of the website.

Scroll to Top