Loading...
Loading...
Run a structured bug bounty program. Accept vulnerability reports, triage by severity, track fixes, and manage reward payouts.
Submissions that don't meet criteria are marked as Rejected.
Vulnerabilities are classified using CVSS v4.0 scores mapped to four severity levels. Each level defines the response SLA, reward range, and escalation behavior.
| Severity | CVSS Range | Reward Range | Response SLA |
|---|---|---|---|
| Critical | 9.0 - 10.0 | $10,000 - $50,000 | 4 hours |
| High | 7.0 - 8.9 | $2,500 - $10,000 | 24 hours |
| Medium | 4.0 - 6.9 | $500 - $2,500 | 72 hours |
| Low | 0.1 - 3.9 | $100 - $500 | 7 days |
Critical Vulnerabilities
Critical-severity submissions trigger automatic escalation to your security team via PagerDuty, Slack, and email. Affected agents may be auto-suspended pending review if your workspace policy allows enforcement actions.
Researchers submit vulnerabilities through the API with a structured report. DRD assigns a tracking ID, runs automated CVSS scoring, and routes the submission to the appropriate triage queue.
{
"title": "Prompt injection bypasses content filter in Agent XYZ",
"description": "Using a multi-turn conversation with specific Unicode characters, the agent's content filter can be bypassed.",
"severity": "high",
"category": "prompt-injection",
"affectedAgents": ["019agent-xyz-..."],
"reproductionSteps": [
"Register a conversation with Agent XYZ",
"Send message containing \u202E followed by restricted prompt",
"Agent responds with filtered content without triggering policy"
],
"impact": "Allows bypass of content safety policies on production agents",
"researcherEmail": "researcher@example.com"
}
// Response
{
"ok": true,
"data": {
"id": "019vuln-abcd-1234-...",
"trackingId": "DRD-2026-0142",
"severity": "high",
"cvssScore": 8.1,
"status": "submitted",
"estimatedReward": { "min": 2500, "max": 10000, "currency": "USD" },
"sla": {
"firstResponse": "2026-02-15T09:00:00Z",
"targetResolution": "2026-02-28T09:00:00Z"
},
"submittedAt": "2026-02-14T09:00:00Z"
}
}Each submission moves through a defined workflow. Status transitions are logged immutably and visible to both the researcher and the security team.
| Status | Description | Actor |
|---|---|---|
| submitted | Initial submission received, awaiting triage | Researcher |
| triaging | Security team is reviewing the report | Security Team |
| accepted | Vulnerability confirmed and validated | Security Team |
| duplicate | Previously reported vulnerability | Security Team |
| informational | Valid finding but not eligible for reward | Security Team |
| remediating | Fix in progress | Engineering |
| verification | Fix deployed, awaiting researcher verification | Researcher |
| resolved | Vulnerability patched and verified | Security Team |
| rewarded | Bounty payment issued | System |
Security team members use the review API to triage submissions, update severity assessments, and transition submissions through the lifecycle.
{
"action": "accept",
"adjustedSeverity": "critical",
"adjustedCvss": 9.3,
"internalNotes": "Confirmed: bypasses all content filters. Escalating to P0.",
"assignTo": "019user-security-lead-...",
"reward": 25000
}
// Response
{
"ok": true,
"data": {
"id": "019vuln-abcd-1234-...",
"trackingId": "DRD-2026-0142",
"status": "accepted",
"severity": "critical",
"cvssScore": 9.3,
"reward": { "amount": 25000, "currency": "USD", "status": "pending" },
"assignedTo": "019user-security-lead-...",
"reviewedAt": "2026-02-14T11:30:00Z"
}
}Rewards are configured per workspace with customizable tiers. DRD supports automated payouts via Stripe Connect, wire transfer, or cryptocurrency wallets.
{
"tiers": {
"critical": { "min": 10000, "max": 50000, "currency": "USD" },
"high": { "min": 2500, "max": 10000, "currency": "USD" },
"medium": { "min": 500, "max": 2500, "currency": "USD" },
"low": { "min": 100, "max": 500, "currency": "USD" }
},
"bonuses": {
"firstReport": 500,
"exceptionalWriteup": 1000,
"zeroDay": 5000
},
"payoutMethods": ["stripe", "wire", "crypto"],
"autoPayoutThreshold": 2500
}Automated Payouts
Submissions with rewards below the autoPayoutThreshold are paid automatically upon resolution. Higher rewards require manual approval from a workspace admin.
DRD supports AI-specific vulnerability categories beyond traditional security issues. These categories help route submissions to the right team and inform severity scoring.
AI-Specificprompt-injectionDirect or indirect prompt injection attacksmodel-extractionAttempts to extract model weights or architecturetraining-poisoningAttacks on training data integrityjailbreakBypassing safety guardrails or system promptsdata-leakageUnintended exposure of training data or PIIInfrastructureauth-bypassAuthentication or authorization bypassapi-abuseRate limit bypass or API misuseinjectionSQL, NoSQL, or command injectionssrfServer-side request forgeryidorInsecure direct object referencesIntegrate the bug bounty workflow into your security toolchain with the DRD TypeScript SDK.
import { DRDClient } from "@drd.io/sdk";
const drd = new DRDClient({ apiKey: process.env.DRD_API_KEY! });
// Submit a vulnerability
const submission = await drd.bounty.submit({
title: "Prompt injection in content filter",
severity: "high",
category: "prompt-injection",
affectedAgents: ["019agent-xyz-..."],
reproductionSteps: ["Step 1...", "Step 2...", "Step 3..."],
impact: "Bypasses content safety policies",
});
// Triage a submission (security team)
await drd.bounty.review(submission.id, {
action: "accept",
adjustedSeverity: "critical",
reward: 25000,
});
// List open submissions
const open = await drd.bounty.list({
status: ["submitted", "triaging"],
severity: ["critical", "high"],
});
console.log(`Open critical/high submissions: ${open.length}`);