Choosing a Platform
The three major platforms are HackerOne, Bugcrowd, and Intigriti. There are others (YesWeHack, Synack, etc.) but those three cover most of the market.
What Actually Matters
Researcher pool. HackerOne has the largest. Bugcrowd and Intigriti have strong pools in specific regions and verticals. If your targets are EU-focused, Intigriti's researcher base may be more relevant.
Triage services. All platforms offer managed triage where their team handles initial report assessment. This is worth it if you don't have a dedicated security team member who can triage daily. It's expensive but it's the difference between a program that works and one that drowns.
Integration. Can it push findings into your ticketing system (Jira, ServiceNow, etc.)? Can it integrate with your SIEM? The less manual work between "report validated" and "engineering ticket created," the faster your pipeline moves.
Cost. Platform fees vary. Some charge per report, some charge annual licensing, some take a percentage of bounties. Get quotes. The cheapest platform isn't always the cheapest total cost when you factor in triage services and integrations.
Self-Hosting
Some organisations, especially those with compliance or data sovereignty requirements, self-host their disclosure pipeline. This gives you full control over data, but you lose the built-in researcher pool, triage tools, and reputation system that platforms provide.
Self-hosting makes sense when:
- Regulatory requirements prevent using a third-party platform
- You have the engineering resources to build and maintain the tooling
- You already have an established researcher community through other channels
For most organisations, especially those launching their first program, a platform is the right choice. You can always migrate later once you understand what you need.