From "Valid Bug" to "No Bounty": VRP, VRT, P4, and P5 on Bugcrowd

You know that feeling.

Muhammed Asfan | Cybersecurity Analyst

~3 min read · December 21, 2025 (Updated: December 21, 2025) · Free: Yes

You stay up half the night, finally land a bug, write a clean report… and it comes back as P4 — Low. Small payout, if any. Then another report gets labeled P5 — Informational and earns exactly zero.

It's easy to blame luck or triagers. But on Bugcrowd, there's a clear system behind this:

VRP — Vulnerability Rewards Program
VRT — Vulnerability Rating Taxonomy

VRP decides who pays you, on what, and roughly how much. VRT decides how severe your bug looks on their P1–P5 scale.

Understand these two, and those "why is this P4/P5?" moments start to hurt a lot less.

VRP: The Rules and Rewards Layer

A Vulnerability Rewards Program (VRP) is basically the deal between you and the company:

"Hack within these boundaries, follow these rules, report responsibly — and we'll reward you."

On Bugcrowd, this shows up as:

Bug Bounty Programs — pay bounties for valid, in‑scope bugs.
Vulnerability Disclosure Programs (VDP) — give you a safe channel to report, sometimes without cash but with legal protection and recognition.

A VRP defines:

What's in scope and out of scope
What's allowed and not allowed
Reward ranges for each severity (P1, P2, P3, P4)

So VRP is the money map: it tells you where bounties exist and what different severities are worth.

VRT: The Severity Ruler (P1–P5)

The Vulnerability Rating Taxonomy (VRT) is Bugcrowd's way of saying:

"This type of bug is usually this severe."

VRT gives each vuln a baseline priority:

P1 — Critical
P2 — High
P3 — Medium
P4 — Low
P5 — Informational

It aligns customers and researchers on what "critical", "low", or "informational" actually mean, using a structured view of common vulnerability types.

Your report's final priority comes from:

The bug type (as defined in VRT)
The real impact on that specific app
The program's own risk appetite

Once that priority is set, the VRP reward table kicks in.

P4 vs P5: Where "Low" Turns Into "Just Informational"

This is where most hunters feel the pain.

P4 — Low

P4 — Low is a minor security issue, but still a real vulnerability.

In practice:

There is a security issue, but the impact is limited.
Exploitation might be narrow or hard to chain.
Many programs still pay small bounties or at least give points for P4s.

P4 is basically:

"Yes, this is a vuln — but it's minor, so expect a modest reward."

P5 — Informational

P5 — Informational is usually where things stop being rewarding.

Key points:

Little to no meaningful security impact.
Often treated as "accepted business risk" or noise.
Many platforms move P5 findings straight into an informational or "won't fix" state, unless the company explicitly wants to track them.

Examples:

Non‑sensitive debug information with no clear attack path.
"Weird but intended" functionality that doesn't help an attacker.
Extremely theoretical issues with no realistic exploitation.

In other words:

"Interesting observation, but not something we pay for."

How to Use This as a Hunter

Knowing the VRP + VRT game changes how you hunt:

Before hacking
Check the VRP reward table for how they pay P1–P4.
Glance at VRT to see which bug classes tend to rate higher.
While testing
Push hard on things that smell like P1/P2 (account takeover, serious auth bypass, critical injections).
Treat obvious P4s as "small but okay" finds.
Don't sink hours into something that clearly lives in P5 land.
When reporting
Tell a clear impact story: who is affected, what changes for an attacker, and why it's more than "just informational".

A clear narrative can be the difference between "P5 — Informational" and at least a P4‑level acceptance.

VRP tells you where the money is; VRT — especially the line between P4 and P5 — tells you which bugs are worth your late nights and which ones are better left as notes in your own lab.

#cybersecurity #vrt #bug-bounty #bugcrowd #bug-bounty-tips