Bounties and Payouts
How to approve bounties, manage the disbursement pipeline, handle tax documents, and use the immutable financial ledger for SOC 2 evidence.
Why It Matters
Bounties and payouts require the VDP Add-on ($49/mo). They unlock the full disbursement pipeline, immutable financial ledger, and tax document management described on this page.
Getting payouts right is both a researcher-retention issue and a compliance obligation. Manual PayPal transfers without collecting W-8BEN (non-US) or W-9 (US) forms create direct IRS exposure for your company. Every payment to a researcher is a reportable taxable event, and the absence of tax documentation shifts the liability to you. Kit’s disbursement pipeline solves this by gating payouts behind a configurable readiness checklist that includes tax document verification.
The immutable financial ledger is the primary SOC 2 evidence artifact for your vulnerability disclosure program’s financial controls. Every bounty approval, every disbursement, and every tax document action is recorded with actor, timestamp, and amount. Auditors can verify the complete chain of custody from report resolution to payment confirmation in a single export.
Bounty Matrix
The bounty matrix maps CVSS severity tiers to dollar ranges. Configure it in VDP > Program Settings > Bounty Matrix. When a team member scores a report with a CVSS assessment, the suggested bounty range is automatically pulled from the matrix and pre-filled on the approval form.
Bounty ranges are displayed on your public disclosure policy page so researchers know what to expect before they submit. This transparency reduces disputes and sets clear expectations.
For recognition-only programs, leave all tiers at $0. Researchers will see “recognition only” on the policy page instead of dollar amounts.
See Configuring Your Program for full matrix configuration details.
Approving a Bounty
A report must be in Resolved or Fix Verified status before you can approve a bounty. Reports in earlier pipeline stages do not show the approval option.
To approve a bounty:
- Open the report detail page
- Click Approve Bounty
- Fill in the approval form
| Field | Required | Description |
|---|---|---|
| Amount | Yes | Bounty amount, pre-filled from the bounty matrix based on the report’s CVSS severity tier. |
| Currency | Yes | Defaults to USD. Must match your program’s configured currency. |
| Notes | No | Internal notes visible only to your team. Encrypted at rest. |
Approval requires explicit submission — no amount is committed until you save the form. On approval:
- A
bounty_approvedentry is appended to the immutable ledger - The researcher is notified via the
bounty_approvedemail template
Disbursement Pipeline
Navigate to VDP > Disbursements to see all pending payouts. Each row shows the researcher, linked report, approved amount, and payout readiness status.
Readiness Checklist
Before a disbursement can proceed, the researcher must satisfy a readiness checklist. All three items are configurable in your program’s payout settings:
- Payout info submitted — The researcher has entered their payment details (bank, PayPal, or other method) via The Researcher Portal
- Agreement accepted — The researcher has accepted your program’s participation agreement (if your program requires one)
- Tax document verified — The researcher’s W-8BEN or W-9 has been uploaded and verified by your team (if your program requires tax docs)
Items that are not enabled in your program settings are automatically marked as satisfied.
Processing a Payout
Kit does not execute wire transfers or payment API calls. Your team handles the actual money movement outside Kit (bank transfer, PayPal, crypto, etc.). Kit tracks the lifecycle:
- When all readiness items are satisfied, click Initiate to move the disbursement to Processing
- Execute the transfer through your payment provider
- Return to Kit and click Mark as Paid — enter the transaction reference (e.g., PayPal transaction ID, wire confirmation number)
- The disbursement moves to Completed and the report transitions to Paid
Disbursement Statuses
| Status | Meaning |
|---|---|
| Pending | Bounty approved; waiting for the researcher to satisfy the readiness checklist |
| Processing | Your team has initiated the transfer outside Kit |
| Completed | Funds confirmed received; transaction reference recorded |
| Failed | Transfer failed; resolve manually and retry or contact the researcher |
If a disbursement fails, the failure reason is logged in the ledger. You can re-initiate the disbursement after resolving the issue.
Tax Documents
Researchers upload tax documents through their portal. US-based researchers submit a W-9; non-US researchers submit a W-8BEN. Documents are stored with encryption at rest.
Your team reviews uploaded documents in VDP > Tax Documents:
| Status | Action |
|---|---|
| Pending | Document uploaded, awaiting your review |
| Verified | You have confirmed the document is valid — the readiness item is satisfied |
| Rejected | You have rejected the document — the researcher is notified and can re-upload |
Both verification and rejection are recorded in the ledger for audit purposes. Tax document events are linked to the researcher’s most recent bounty-awarded report for ledger context.
The Ledger
Navigate to VDP > Ledger to view the immutable financial audit trail. The ledger is append-only: entries cannot be edited, modified, or deleted.
Each entry records:
- Entry type — What happened
- Amount — Dollar amount in cents and currency
- Actor — The team member or system that performed the action
- Timestamp — When the entry was created
- Report reference — The linked vulnerability report
Each entry records one of the following types:
| Entry Type | When It’s Created |
|---|---|
bounty_approved |
A team member approves a bounty amount for a resolved report |
bounty_adjusted |
A team member corrects the bounty amount before payment is sent |
disbursement_initiated |
A team member moves the disbursement to Processing |
disbursement_completed |
A team member marks the disbursement as Paid with a transaction reference |
disbursement_failed |
A disbursement is marked as failed with a reason |
tax_document_submitted |
A researcher uploads a W-8BEN or W-9 document |
tax_document_verified |
A team member verifies a tax document as valid |
Filter the ledger by report ID, entry type, or date range to narrow down results. Use the ledger export in Metrics and Exports to generate SOC 2 evidence packages.
Ledger Integrity
A daily integrity check runs automatically to verify ledger consistency. It checks for:
- Bounty awards that have no corresponding
bounty_approvedledger entry - Completed disbursements that have no corresponding
disbursement_completedledger entry - Orphaned entries referencing deleted or missing records
If a mismatch is detected, an alert email is sent to account admins. Contact support if you receive a ledger integrity alert — do not attempt to resolve discrepancies manually.
Quick Checklist
- Configure bounty matrix tiers with appropriate min/max ranges for your risk tolerance
- Set payout readiness requirements (tax docs, agreement) in your program’s payout settings
- Communicate bounty ranges on your disclosure policy page before researchers submit
- Check the Disbursements queue weekly for pending payouts
- Review and verify uploaded tax documents promptly to unblock researcher payments
- Export the ledger quarterly as SOC 2 evidence via Metrics and Exports
Next Steps
- Metrics and Exports — dashboard KPIs, SOC 2 evidence exports, and researcher karma
- The Researcher Portal — how researchers submit payout info and tax documents