As a vendor or developer, what's your experience with bug bounties?

Question

I've been involved in various bug bounty programs from the researchers side, but I've never sat on the other side of the table and been the one receiving the reports. So for those who have, I'm interested to know how your experience has been.Have you found the programs to be beneficial and useful overall? Do you get enough high-quality engagement to make up for the time taken up by junk reports? Is it feasible to do your own triage, or have you had to outsource that?And most importantly: would you recommend that other organisations sign up to a bug bounty program, and if so, what advice would you give them?

wifipunk · Accepted Answer

At my past company we for sure found our bug bounty program to be beneficial, but it was pretty common for us to get poorly documented submissions on the daily. The key is to set clear guidelines so you don't get overwhelmed with low-quality reports.If I could recommend anything to an org trying to build out a bounty program it would be to invest in a robust triage system rather than building your own. While building your own might seem cost-effective, the long-term maintenance and updates can become a hassle and a good triage system streamlines the process so you can focus on fixing vulnerabilities.