Thinking about launching a vulnerability disclosure or bug bounty program and not sure where to start? Do you use a bug bounty platform or self-host; hire a 3rd party service provider or run things yourself? What should your program rules contain, and how should you engage your legal team? How much should you reward, and how do you pay researchers? How do you build partnerships with engineering teams and what do long product release cycles mean? There are lots of things to consider when planning a bounty program, and we’ll give you an actionable punch list of operational decisions to go through to ensure you’re set up for success!
Adam ‘rudd’ Ruddermann is Director of the Bug Bounty Services Practice at NCC Group, a global information security assessment and consulting firm. He has extensive experience in the bug bounty community, having led Facebook's Bug Bounty Program, co-founding the BountyCraft conference series, and as Synack's first Client Operations Manager. He previously served in U.S. government security and intelligence consulting roles with Booz Allen Hamilton and as a Technical Lead at the NSA Red Team while in the United States Air Force.