I don't have visibility into all of the costs associated. We use the bug bounty product they offer, and we define how much we pay for various types of bugs, and what targets are in scope. You can also remove products from being in scope, so you have a few levers to pull to control costs.