Payouts

How bounty payments move from acceptance to payout.

Developers set bounty tiers on each program. Researchers connect Stripe to receive payouts after a report is accepted.

Create hacker account See CVSS primer

Payout flow

1Developer accepts the reportThe developer confirms the vulnerability is valid and selects the severity that matches the program policy.
2Bounty amount is confirmedThe payout uses the bounty tier configured on the program at the time the report was submitted.
3Stripe Connect handles transferResearchers receive funds through their connected Stripe account, subject to Stripe availability and account checks.

What affects timing

Triage quality

Clear evidence and reproducible steps reduce back-and-forth and help developers make a faster decision.

Developer review

Some reports require engineering validation before acceptance, especially auth, billing, or data-access bugs.

Stripe requirements

Payouts can be delayed if the researcher has not completed Stripe onboarding or if Stripe needs more details.

Disputes

If a researcher and developer disagree about validity or severity, VibeBounty may review the report, evidence, program scope, and conversation history. The strongest dispute evidence is a clean reproduction path and a specific explanation of impact.