Life of a Reward

While the process when reporting things through our vulnerability reward program seems simple (find a bug, report it, get money), it's somewhat more complex than that. Here's a sketch of some of our internal processes that might help clarify what we mean by "fixed but not verified" or "we found this when seeking for variants" and so on. Note that we get most of the value from the VRP when we conduct these variants and root cause analysis, so behind every "Nice catch!" we invest a lot of time to prevent the issue from happening again.