[SamHoustonCM]

(Disclosure: I work for Bugcrowd) That's why we suggest going with a 'managed' bounty. That's where Bugcrowd triages all of the incoming bugs and then passes along the valid bugs for you to prioritize and reward. It cuts out all of the noise and only gives you the results.

[tptacek]

Every startup with significant bounty programs I've talked to either staff an internal triage team or outsource triage --- but, either way, they are spending extra money on triage. I haven't talked to any that don't do this.

The concerns I've had raised to me about the value of these programs in practice all assume you're already paying extra to triage.

[SamHoustonCM]

Right but the cost differential between staffing it yourself and paying someone else to do it is substantial. Doing it yourself will cost you 3-5x more than paying someone else who is able to do it at scale.