It is important to define the scope and parameter of your bug bounty program and provides a checklist for success.
If your information security team recommends instituting a “bug bounty program,” they’re not advocating that you unleash hordes of hackers to find vulnerabilities in your Internet-related infrastructure. Rather, they’re suggesting a modern method of utilizing external, professional security researchers to help reduce information security risks.
While the goal of bug bounty programs is to provide “more eyes and hands on the information security keyboard” in order to quickly and cost-effectively identify and report bugs and vulnerabilities, their success is rooted in multiple factors.
In this second of two podcasts on bug bounty programs for our Advice Worth Keeping podcast series, I sat down to discuss: