|
|
|
|
|
|
by almost_usual
3471 days ago
|
|
|
As someone who has used hackerone on both sides (managing and reporting bugs) I'd suggest starting a private program first. Select a small group of researches known to provide good reports and wait for them to start rolling in. Use this as a pilot, if you see value in what's being reported keep it open. Keep in mind you're going to see a lot of reports in the beginning, it will level off as you apply fixes. You'll need to prioritize these bug fixes in your organization, if you do not fix them within a time period the researcher has the ability to disclose the bug publicly. I recommend you review your program guidelines with a lawyer before starting it. |
|
|
If helpful I wrote down my notes about starting a bounty program although my experiences were formed by larger companies https://medium.com/@collingreene/bug-bounty-5-years-in-c95cd...