BIPI
BIPI

Finding Fresh Programs: New Scope Expansions, Acquisition Pivots, VDP-to-BBP Moves

Cybersecurity

The best bounty windows open when scope changes. Learn how to spot new scope, acquisition driven expansions, and VDP programs transitioning to paid bounty before the rest of the platform sees the alert.

By Arjun Raghavan, Security & Systems Lead, BIPI · May 8, 2023 · 8 min read

#program-discovery#scope-expansion#vdp#bug-bounty#hunting

Fresh scope is the easiest money in the industry

Most bugs in scope today were findable a year ago. The reason they are still there is that nobody looked at that specific asset. New scope changes that, and the first week of new scope is when duplicate rates drop to near zero.

Where new scope appears

  • Program brief updates, watched via platform email or RSS where available.
  • Acquisition announcements, where the acquired company's assets flow into scope over weeks.
  • Product launches, where a new SaaS feature or domain joins the program quietly.
  • Geographic expansion, where region specific subdomains light up.
  • Mobile app version bumps, where new SDKs and endpoints appear.

Acquisition pivots

When a large public bug bounty company acquires a smaller one, the smaller company's assets eventually join scope. That window between announcement and inclusion is the hunt period. Their assets are often less tested, their developers are often distracted by integration work, and security patching slows down.

  1. Track acquisition press releases for companies running public bug bounty programs.
  2. Identify the acquired company's domains and tech stack within a week of announcement.
  3. Hunt those assets aggressively in the gap before they enter formal scope.
  4. Submit findings under the parent program once scope updates, citing the acquisition.

VDP to BBP transitions

Vulnerability Disclosure Programs do not pay. Bug Bounty Programs do. When a VDP transitions to BBP, the same hunters who ignored the assets for years suddenly care. If you have been quietly hunting the VDP and stockpiling findings, you can submit a batch of valid bugs the day the program goes paid.

Signals that a VDP is going paid

  • Program manager hiring posts, indicating budget and headcount growth.
  • Increase in triage response times, indicating volume is rising.
  • Public statements about security maturity, often a precursor to paid programs.
  • Expansion of scope without expansion of payout, a transitional state.

Tracking fresh programs at scale

  1. Subscribe to platform announcement feeds and program update emails.
  2. Run a daily diff on the public program directories.
  3. Maintain a watchlist of companies likely to launch programs based on industry trends.
  4. Join hunter communities where program launches are shared minutes after they go public.
  5. Track CISO and Head of Security hires at large companies, which often precede programs.

First mover discipline

When fresh scope drops, you have hours not days. Have your recon stack ready, your test accounts pre-created where possible, and your report templates loaded. The hunter who can convert a finding to a submitted report in under two hours wins the first wave.

The bug bounty leaderboard is full of hunters who saw scope change first and moved fastest.

What not to do with fresh scope

  • Do not submit half formed reports just to claim first, Signal will pay the price.
  • Do not run aggressive automated scans that violate the rate limits in the brief.
  • Do not skip the program brief, even on fresh scope the rules still apply.
  • Do not share the new scope publicly until you have submitted your findings.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.