Bug Bounty Programmes: An Introduction
A bug bounty programme invites external security researchers to find and report vulnerabilities in your systems in exchange for recognition or financial rewards. It is a structured way to leverage the global security research community to improve your security posture.
How Bug Bounty Programmes Work
- Define scope — which systems are in scope, which types of vulnerabilities qualify
- Define rules of engagement — what testing is permitted, what is prohibited
- Define reward tiers — typically based on CVSS severity (Critical, High, Medium, Low)
- Researchers submit reports through a defined channel
- Your team triages reports, confirms validity, and remediates
- Researchers receive reward and optionally public recognition once issue is fixed
Managed vs. Self-Hosted
- Bug bounty platforms (HackerOne, Bugcrowd, Intigriti): Provide researcher communities, triage support, report management, and payment processing. Recommended for most organisations.
- Self-hosted Vulnerability Disclosure Policy (VDP): A lighter alternative — a defined process for security researchers to report vulnerabilities, without financial rewards. Often implemented via a security.txt file and defined email address.
When to Consider a Bug Bounty
Bug bounty programmes are most valuable for public-facing applications with a significant user base or sensitive data. We recommend starting with a private programme (invite-only researchers) before opening to the public, and ensuring your internal security baseline is solid first — bug bounty programmes will surface real vulnerabilities.