A bug bounty policy is a document that outlines the rules, rewards, and expectations of a bug bounty program. It is typically created by an organization or company to encourage ethical hackers and security researchers to identify and report vulnerabilities in their software or web applications.

The policy typically includes information such as the scope of the program (what assets or systems are in-scope and out-of-scope), the types of vulnerabilities that are eligible for rewards, the rewards offered for different types of vulnerabilities, and the process for submitting and validating reports.

It also includes details like the rules of engagement, how and when rewards will be paid, and the process for disclosing vulnerabilities. Bug bounty policy is an important document as it sets the tone and rules for the bug bounty program and helps to attract and retain top hackers.

Here are some best practices for writing a good program policy for a bug bounty platform:

1. Be clear and concise: A good program policy should be clear and concise, making it easy for hackers to understand what is in scope, what is out of scope, and what rewards they can expect for different types of vulnerabilities.

2. Define scope clearly: Clearly define the scope of your program, including in-scope and out-of-scope assets and vulnerabilities. This will help hackers focus their efforts on the areas of the application that are most important to your organization.

3. Reward system: Clearly define your reward system, including the types of rewards offered, the criteria for earning rewards, and the process for submitting and validating reports.

4. Communication: Clearly communicate your program policy to all potential hackers, and make sure that they understand the rules and expectations.

5. Policy review: Regularly review and update your program policy to reflect changes in the threat landscape and the evolving needs of your organization.

6. Be fair and consistent: Be fair and consistent in your rewards and be transparent about the criteria for earning them.

7. Be transparent with hackers: Transparently communicate your decision-making process in regards to triaging, validating and rewarding hackers.

8. Be open to feedback and suggestions: Be open to feedback and suggestions from hackers to improve your program and policy.

By following these best practices, you can create a program policy that is clear, fair, and effective in incentivizing hackers to find and report vulnerabilities in your application.