Understanding Bounty Loss & Potential Loss

Last updated: November 10, 2025

At Astra, we display Bounty Loss or Potential Loss estimates alongside certain vulnerabilities in your dashboard. These numbers are designed to give you a real-world reference for the potential monetary impact of a vulnerability if it were found and reported through a public bug bounty program.

What these terms mean

  • Bounty Loss:
    This value represents an estimated reward (in USD) that would typically be paid out to a security researcher if a vulnerability of this type were discovered and responsibly disclosed through a public bug bounty program (e.g., HackerOne, Bugcrowd, etc.).

  • Potential Loss:
    In some cases, where comparable public data is unavailable or incomplete, we show a Potential Loss instead. This reflects a broader estimate based on the severity and exploitability of the issue, using known data from similar vulnerability categories.

How we calculate these estimates

Our system references publicly disclosed bug bounty reports from trusted platforms such as:

  • HackerOne

  • Bugcrowd

  • Other open vulnerability disclosure archives

For each vulnerability, we identify similar reports (based on type, context, and impact) and derive an indicative payout range. The reference link to the specific report is shown in the vulnerability details sheet in your Astra dashboard.

Occasionally, bug bounty platforms may make previously public reports private or remove payout details. In such cases, the associated data may no longer be visible. If you need alternative references or verification, our support team can help provide additional examples.

When bounty information is not available

In some cases, there may be no publicly available bounty data for a specific vulnerability type - for example, when similar reports have not been disclosed, have been made private by the platform, or lack payout information.

When this happens, Astra assigns a Potential Loss value instead of a direct Bounty Loss.

This Potential Loss is an estimated dollar value based on:

  • The severity and exploitability of the vulnerability,

  • Historical averages from similar vulnerability categories, and

  • The impact surface (e.g., data exposure, authentication bypass, service disruption).

While this number provides a monetary frame of reference, it is not derived from a specific bug bounty report. Instead, it helps illustrate the relative impact such an issue could have if discovered under a public bounty program.

Important disclaimers

  • The Bounty Loss/Potential Loss value is indicative only. It should not be treated as a definitive or financial loss estimate.

  • Actual bounty payouts vary based on:

    • The specific scope and policies of the affected organization’s program

    • The impact and exploitability of the vulnerability in that environment

    • The timing and uniqueness of the discovery

  • These estimates are intended as a reference point, to help you understand the market perception and severity of the vulnerability class.

Who receives the bounty?

In public bug bounty programs, bounties are paid to individual security researchers who responsibly disclose valid vulnerabilities to the affected organization.

Astra does not participate in or facilitate bounty payouts - the Bounty Loss/Potential Loss metric is provided purely for informational purposes.