Ask HN: Should I offer a security bug bounty for my SAAS app?

5 points by hoodoof ↗ HN
I'm concerned about security.

Would it help to make it more secure if I offered say a $1,000 security bug bounty?

Is there a "wrong way" and a "right way" to offer security bug bounties? Are there pitfalls to be avoided?

4 comments

[ 3.0 ms ] story [ 14.3 ms ] thread
Great to see you're willing to spend money on bounties.

https://hackerone.com/resources is advertising for their service but a good introduction on how to run a bug bounty program. Maybe using them also solves the marketing issue (how to tell security hackers that you have bug bounty program in the first place?)

I report a lot of bugs and I am not a fan of hacker one or bugcrowd. I also triage bugs through h1 sometimes at work and I really don't enjoy the quality of bugs or the platform.

If you are a smallish company my advice is to have a security page and a specific security contact with a corresponding gpg key, offer smallish reward, and respond quickly. 100 is plenty, even though a lot of people will disagree with me and it's way way better than most.

Even if you don't have the budget for a cash bounty, offering up some amount of free swag (e.g. t-shirts) is a cheap but effective way of attracting researchers. Great example of this is CloudFlare's bounty which is a pretty cool t-shirt and a 1 year subscription.
Setting up a bug bounty may send more work your way than you expect. Nothing worse than offering bounties, getting submissions, and not having the resources to investigate and fix. I still think they can be a great idea, just be careful to support it (you really don't want a bunch of angry hackers waiting 90 days to get a response to the RCE exploit they found on your app...).