How to start your own bug-bounty program

Code vulnerabilities and other entry points for hackers exist in your systems. Why not use hackers to help find and fix them?

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

It’s no secret the cybersecurity industry has a skills gap. Read any report that looks at hiring in the security field across the world and the only difference is the size of the shortage. According to last year’s Global Information Security Workforce Study (GISWS), the global shortfall is expected to be 1.8 million by 2022—a 20 percent increase since 2015.

One way to overcome this ongoing lack of cyber skills is to supplement your existing security staff with external people. A new wave of companies, including HackeOne, Bugcrowd, and Synackare offering communities of hackers ready to test your systems and report their findings in exchange for cash rewards.

But where do you start when launching such a bug-bounty scheme?

Stage 1: Establish a vulnerability disclosure program

The very first stage is simply having a vulnerability disclosure program (VDP) in place. Hacking companies outside of the confines of an official penetration test or bug bounty program has long been a legal gray area for hackers, even if their intentions are purely academic or altruistic. Many companies, include PwC, FireEye, Cisco, and DJI,have taken legal action against people who have found vulnerabilities.

To continue reading this article register now