Frequently Asked Questions (FAQ)

Q: How much can I earn from working with you?
A: The amount paid to you depends on 2 different variables:

  • How widespread the software/hardware is; popular products typically reach higher amounts
  • How critical the vulnerability is. For example, if you find an unauthenticated arbitrary code execution vulnerability, you would be substantially paid higher than if you find Cross Site Scripting vulnerability

Q: What if I want to stay anonymous?
A: Fine by us! A lot of our researchers choose to stay anonymous!

Q: What is your policy regarding privacy and confidentiality of researcher’s information?
A: We take the privacy of researchers very seriously and does not disclose to any third party (including to customers) any personal information about researchers such as names, aliases, email addresses, bank details, or any other personal or confidential information.

Q: Which payment methods are available?

A: We support various payment methods? Wire transfer, PayPal (up to $2000), Bitcoin, Gift cards, etc

Q: What is the difference between SSD and Bug Bounties / other program?

  1. Money: We are willing to pay more than bug bounties programs
  2. If a vendor doesn’t have any bug bounty program – we will still acquire the vulnerability and report it to the vendor / our clients.
  3. We believe researchers need to get paid for their effort and we are willing to offer higher rewards for researchers. We give another option to researchers -“sell us your vulnerabilities and not to the black market”
  4. Bureacracy:
    • We will handle all the reporting process for you
    • We will publish your research

Q: How to submit my research?
A: Send us an email to – that’s easy!

Q: What is SSD community? How do I join?
A: We strongly believe in community, that’s why we establish closed community where we sponsor flights / commendations / conference entry / software licenses / hardware / workshops / courses etc to our researchers. You can join the community by start working with us! Report us your vulnerabilities and be part of our community!

Q: Where do you publish your vulnerabilities after you report them? We publish the reported vulnerabilities in:

  • Our blog – blogs.securiteam.com
  • Twitter – @SecuriTeam_SSD
  • Advisories
  • etc

Q: Can I publish the vulnerability in my own private blog after Beyond Security SecuriTeam Secure Disclosure (SSD) publishes a public advisory?
A: Of course! After the information is published – you can publish it where ever you want!