Should an early stage startup pay for a bug bounty platform (HackerOne)?

Question

Our product stores personal information like bank account details and ID uploads so we're worried about an eventual data leak. While we think we're storing everything securely, a data leak would be disastrous given the kind of data we are storing.We looked into a platform like HackerOne but were quoted 60-70K per year to run a bug bounty program. Since we're new and our profits are still small, our budget is closer to 10% of that.What are our options for a security audit? Is this even something worth pursuing when we're still deciding whether we have product-market fit?

mtmail · Accepted Answer

Add yourself to the https://hackerone.com/directory/programs, that's free afaik. You won't get the 'managed' badge. And have a bug-bounty page on your website. There are specialized search engines looking for those. Add a https://securitytxt.org/ if you haven't already.
I know a startup listed there and they get regularly approached by security researchers. Some only run generic test suites, e.g. port scans, if signing up with unicode usernames causes errors, cross-side scripting, but it will still be valuable. And a cross-side scripting bug has bounties of 100 USD or less.
Via a recent Show HN submission I got a security scan by https://www.cybersenshi.com/ which I think was comprehensive.

TheCrott · Answer

Security audit can be expensive depends on size and app complexity. From what I saw, it starts from $3kI think it's better to make a 1 page to put details scope, rewards, etc. Here is good example https://bugbounty.linecorp.com/en/

detaro · Answer

Invest into having a functional process to receive and handle security reports, and having the appropriate information published first. That's way more important than having an account with some bounty platform.And bounty platforms aren't a security audit. If you want an audit, buy an audit by someone who gets access to your code and can review your internal setup.