Learnings from a 2 years security bug bounty program

I will share learnings after running a security bug bounty program for 2 years.

A security bug bounty program refers to collaborative agreement where white hat hackers search for vulnerabilities in your software/platform, report the vulnerabilities to you and in return you pay a bounty reward.

Trustpilot, the company I work for, started such a program 2 years ago, motivated to enhance the security of it’s products. There are many unknowns and many questions before starting and while running such a program, like:

-“How to decide what’s in the scope of testing for vulnerabilities?”

-“How to decide the value of the bounties paid?”

-“How to integrate it in our existing engineering practices?”

-And a bonus one: “How to make our program appealing for hackers?”

We had all these questions and many more and now we are ready to share our learnings and our approaches. Learn about:

-the prerequisites needed to start such a program,

-main challenges,

-resources needed,

-success factors,

-relevant metrics,

-awareness and engagement among Engineers and other parties involved,

-establishing engagement among hackers.


More Related Sessions


Two-Day Tutorial (12-hour Workshop)

Sunday, June 05, 2022 9:00 a.m. – 5:00 p.m. Equipment required

45-minute Keynote

Tuesday, June 07, 2022 1:30 p.m. – 2:15 p.m. Grand Ballroom 1-4 Equipment required

30-minute Talk

Tuesday, June 07, 2022 3:30 p.m. – 4:00 p.m. Salon 8-9

30-minute Talk

Tuesday, June 07, 2022 4:15 p.m. – 4:45 p.m. Salon 8-9