HACKER Q&A
📣 _rami_

Bug bounty program as a small company


Has anyone successfully run a (security) bug bounty program for a small company (~15 people) before?

We expect to recieve ~20 reports a year and given the quality of reports we receive by email so far we'd expect to pay out 2-3 actual bounties per year. On that scale, paying $30k to HackerOne is completely disproportionate and even smaller platforms like hacktrophy and yeswehack would cause us to pay a sh*itload of money to the platform compared to how much we would use it.

However, not using a platform would require us to handle payouts ourselves and paying money to strangers across the world without screwing up taxes is hard (we're based in Germany).

Does anyone know if there's a middle ground between these approaches?

  👤 sigmaprimus Accepted Answer ✓
Maybe a Freelancer site? If You were to provide the specifics and bounty offered I think it would be a simple matter to process payouts through one of these sites.

EG: Fiver

Here is a startup listed on YC companies page

https://www.ycombinator.com/companies/pangea-app

👤 mytailorisrich
For 2-3 payouts a year I'm sure why it would be difficult to handle them manually. I don't know Germany but it does not sound like a tax headache, either (I suspect it's like paying a lawyer or plumber bill)