For Organisations

This section is written for security teams, CISOs, and anyone responsible for standing up or running a vulnerability disclosure or bug bounty program. The advice here comes from both sides of the table -- running programs and submitting to them.

The pages below follow the order you'd actually go through when building a program from scratch.

Sections

1. Starting a Program

VDP vs BBP, the maturity spectrum, when to skip VDP, private before public, and when you're ready to launch.

2. Scoping a Program

Domains, IP ranges, third-party services, mobile apps, vulnerability class exclusions, and rules of engagement.

3. Choosing a Platform

HackerOne, Bugcrowd, Intigriti, and when self-hosting makes sense. What actually matters when picking a platform.

4. Setting Bounty Tables

Pricing by severity, competitive benchmarking, common mistakes, and incentive structures that attract top researchers.

5. Researcher Relationships

Out-of-band communication, involving researchers in scope decisions, and retaining the people who find your hardest bugs.

6. The Business Case

Breach cost math, compliance signaling, pentest comparison, and what leadership actually wants to hear.

See Also

• Running a Bug Bounty Program -- The researcher's perspective on how programs work internally.
• Responsible Disclosure