The only thing I would add to this guide on bug bounties ( https://lcamtuf.blogspot.jp/2018/03/setting-up-bug-bounties-for-success.html?m=1 … ) is that if you don’t have a team called Security your company is likely going to be unable to metabolize the volume of reports successfully. You don’t *have* to have a bounty program!
-
-
If you publish a bug bounty, you are setting up an incentive structure which will result in you getting *a lot* of email from a worldwide talent pool which skews in that direction. You will find that to be a frustrating experience if you have a job in addition to security.
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.