The only thing I would add to this guide on bug bounties ( https://lcamtuf.blogspot.jp/2018/03/setting-up-bug-bounties-for-success.html?m=1 … ) is that if you don’t have a team called Security your company is likely going to be unable to metabolize the volume of reports successfully. You don’t *have* to have a bounty program!
-
-
A very large downside also if you're unprepared is that these programs start like a rocket. The second you give any reward at all word spreads like wildfire of a new target and you get hundreds of reports in 24hrs
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Solution to this if you don't have a security team: hire a good pentest to find all of these low concern issues before opening the bug bounty. Automate responding to them when they get reported.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
We only opened our scheme to a very small number of testers and slowly increased the pool as reports slowed. Much easier to handle the quality and frequency of reports.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.