After having run or been a part of dozens
of bug bounty programs, I can tell you that
the experience and value derived from
them heavily depends on taking a moment
to assess where you’re at today.
An initial self-assessment is critical to ensure you don’t jump off the deep end too
early. Launching a program without this assessment can actually make things worse!
Not to worry, though; to help you determine where you’re at and what type of program
best suits your needs, we’ve created an assessment questionnaire. It only takes a few
minutes to fill out, and trust me – it’s worth it.
When it comes to working with hackers, there are a few different
options. The assessment questionnaire will help you gauge
which is best for you. What are these options, you ask?
One of the biggest distinctions is whether or not you offer monetary rewards,
or “bounties,” to hackers outside of your organization that report valid security
flaws to you. Many organizations start off without bounties, with what’s called a
vulnerability disclosure program (VDP). In a bug bounty program (BBP), the
stakes are a bit higher, as you offer varying monetary rewards for issues identified
and reported to you. Another factor is time; some choose to start with a pilot
program to test the waters, which can last anywhere from a month to a year.
This guide is about running a bug bounty program, but the HackerOne platform
can also be used for vulnerability disclosure programs and crowdsourced
pen testing. You can even start off with buying just a single vulnerability!
Some HackerOne customers leverage time-bound
pilot programs in lieu of a pen test. This is another
great way to dip your toe into bug bounties.
We encourage our customers to run the bug
bounty program that works best for them. Whether
private or public, time-bound versus ongoing, a
program offering cash bounties or sticking to swag
only – we work together to create the best blend
for your organization and will grow with you.
Alright… now let’s begin our journey into bountyland!
This is the most important step in any bug bounty
initiative. As mentioned earlier, it’s tempting to
jump straight off the deep end, but whether or not
you do a bit of prep work can make or break your
experience. Organizations that hit all the right notes
get amazing ongoing value out of their program.
Those who don’t can end up getting burned