A pragmatic guide to building your bug bounty program

Part 3: The value in building relationships with bug bounty reporters

Opening the door to bug bounty hunters with better findings

As you issue rewards for valuable bug bounty reports, you’ll start to see the same bug bounty reporters coming back with increasingly interesting findings. The quality of their reports will improve. Their proof of concept scripts will get a bit easier to understand (you’re learning how to work with them too!), and they’ll start to offer up early warning reports while they confirm the scope and impact.

Enter, Siddharth.

Siddharth is a college student from India, currently studying computer systems engineering. During COVID, he found himself unable to go to university, and had a lot of time at home. He found APPSEC/penetration testing interesting, and started teaching himself.

Conclusion

To wrap up this three part series on setting up your bug bounty program:

  • Make sure you set clear bug bounty terms (internally and externally) from day one
  • Set internal guidelines for how much you’re willing to pay for bugs of a given severity. It’s better to have these before you get the reports
  • Don’t waste time on beg bounties — automated response emails are your friend, and time is likely your most scarce resource
  • Build relationships with the bug bounty hunters who are making an effort. Symbiotic relationships will have the best and most impactful results.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store