Build Your Bounty Program - (Part 1)
The Bounty Program now is popular in these years and many companies have their bounty program.
The bounty program provides a method for external resources (security researchers) to submit the security report, like the vulnerability or potential security issues and provides the bounty to motivate researchers not to public the report without warning, or even sell the report to the darknet.
The program has some advantages and disadvantages for the company: it is not comfortable to expose the security issue for the traditional and conservative company and consider this damage to the company's image. On the other hand, the bounty program allows the company to reduce the cost of training and/or hiring relevant personnel, it can also make the company's products and services safer.
At this moment many platforms provide related services, like Bugcrowd, HackerOne, Synack, and HITCON ZeroDay in Taiwan. These platforms provide a cloud service, connect between company and researchers, and reduce construction costs for the company. But some company has concerns that exposing sensitive information to the public cloud or 3rd company. In this case, building their bounty program is an option.
You need to take into the company budget, the resource and the final target before building your bounty program. Designing and implementing the features is the top priority for the start-up company, and the bounty program is not a good option at this stage.
The following will introduce several parts that need to be considered based on the experience of establishing the Bounty Program:
define the scope.
design the mechanism and process.
review and refine your program.