Ask HN: Bug bounty program as a small company

1 points by _rami_ ↗ HN
Has anyone successfully run a (security) bug bounty program for a small company (~15 people) before?

We expect to recieve ~20 reports a year and given the quality of reports we receive by email so far we'd expect to pay out 2-3 actual bounties per year. On that scale, paying $30k to HackerOne is completely disproportionate and even smaller platforms like hacktrophy and yeswehack would cause us to pay a sh*itload of money to the platform compared to how much we would use it.

However, not using a platform would require us to handle payouts ourselves and paying money to strangers across the world without screwing up taxes is hard (we're based in Germany).

Does anyone know if there's a middle ground between these approaches?

2 comments

[ 4.4 ms ] story [ 16.4 ms ] thread
For 2-3 payouts a year I'm sure why it would be difficult to handle them manually. I don't know Germany but it does not sound like a tax headache, either (I suspect it's like paying a lawyer or plumber bill)