BIPI
BIPI

Payout Negotiation and Severity Escalation Without Being Annoying

Cybersecurity

Severity disputes are won on evidence and tone. Learn how to escalate a calibration without crossing into bad faith, when to negotiate payout, and the words that work versus the words that get you flagged.

By Arjun Raghavan, Security & Systems Lead, BIPI · May 20, 2023 · 8 min read

#negotiation#severity#payout#bug-bounty#communication

Negotiation is a skill, not a fight

Most hunters never negotiate severity, and most who do, do it badly. The hunters who win calibration disputes share a small set of patterns. They use evidence, not emotion. They reference the program's own taxonomy. They give the triager a path to agree.

When to dispute

  • When the triager applied the wrong category from the program's taxonomy.
  • When new evidence extends the chain to a higher impact tier.
  • When the program brief contains a clause that overrides default calibration.
  • When a similar disclosed report on the same program was rated higher.

When not to dispute

  • When you feel the bug deserves more but cannot point to specific taxonomy text.
  • When the bug was already calibrated correctly and you want a higher payout anyway.
  • When the triager has explained their reasoning and you have no new evidence.
  • When you have already disputed once and lost, repeated disputes burn trust.

The words that work

  1. I want to share additional context that may affect calibration.
  2. Based on the program's severity model, this maps to category X because of Y.
  3. Here is an extended PoC showing impact beyond what the first report covered.
  4. Could you reconsider in light of this evidence, and let me know what else would help.

The words that flag you

Payout negotiation, the rare cases

Most platforms set payout via severity. You cannot negotiate the bounty independent of severity in most cases. The exception is programs with a payout range per tier, where you can request the upper end based on chain quality, exploitation depth, or unique impact.

How to ask for the upper range

  • Wait until severity is confirmed, do not bundle severity and payout in one ask.
  • Cite specific factors from the brief that justify the upper end.
  • Reference past payouts on the same program for similar findings, if disclosed.
  • Frame the ask as a question, not a demand.

When to walk away from a dispute

  1. After one back and forth where the triager has not moved.
  2. When continuing risks a code of conduct flag.
  3. When the time spent disputing exceeds the value of the disputed amount.
  4. When the program is small and the relationship matters more than the payout.

Escalation paths within platforms

Some platforms have mediation processes where a senior triager or platform staff reviews disputes. Use this only when you have exhausted reasonable back and forth, and only when you have strong evidence. Frivolous escalations are tracked and remembered.

Negotiate from evidence and respect, and you will win calibrations for years. Negotiate from ego and you will win one and lose a hundred.

The long game

Every dispute leaves a trail. Triagers remember who they disputed with last quarter, and that memory shapes how they handle your next report. Hunters who build a reputation for fair, evidence based disputes get the benefit of the doubt on close calls. That benefit is worth more than any single calibration win.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.