A quick update on our ranking point system

We have recently been questioned on how our ranking point system works and how report quality is evaluated.

Our system has evolved quite a lot since inception, and some new report quality rating features have been added.
Updated in Feb. 2021

Triaging

The first step of a bug report life cycle is being ( hopefully ) accepted as valid by the program owner, otherwise it is classified as invalid and receives an additional qualification that eventually can lead to a negative rating, as illustrated below:

How the YesWeHack ranking works

Note that a valid report can be triaged again as ” Informative ” or ” Won’t Fix ” after validation and before being accepted.

Accepted stage

Now that your shiny report has been accepted by the program owner, congratulations, you are now eligible for a reward.
But how are your ranking points calculated exactly?

a – Bounty

Depending on the bounty your report matches regarding the reward grid, you will be rewarded with ranking points :From 5 to 50 points
More informations here : FEBRUARY 2021 CHANGELOG

b – Quality rating

The program owner can also reward the quality of your report and attribute 1 to 5 additional ranking points.

c – CVSS scoring bonus

Again, the program owner can give you 1 additional point if your report CVSS scoring falls right.

As summed-up in this chart:

You get 7 additional points for a resolved bug, a big thank you.

The big picture.

Finally we’ve stitched it all inside a single graph for your convenience.

Is our ranking system clearer?

You can refer to our leader-board to discover the hunters top 100: YESWEHACK IVY LEAGUE