I will share learnings after running a security bug bounty program for 2 years.
A security bug bounty program refers to collaborative agreement where white hat hackers search for vulnerabilities in your software/platform, report the vulnerabilities to you and in return you pay a bounty reward.
Trustpilot, the company I work for, started such a program 2 years ago, motivated to enhance the security of it’s products. There are many unknowns and many questions before starting and while running such a program, like:
-“How to decide what’s in the scope of testing for vulnerabilities?”
-“How to decide the value of the bounties paid?”
-“How to integrate it in our existing engineering practices?”
-And a bonus one: “How to make our program appealing for hackers?”
We had all these questions and many more and now we are ready to share our learnings and our approaches. Learn about:
-the prerequisites needed to start such a program,
-awareness and engagement among Engineers and other parties involved,
-establishing engagement among hackers.