Ask HN: As a vendor or developer, what's your experience with bug bounties?
I've been involved in various bug bounty programs from the researchers side, but I've never sat on the other side of the table and been the one receiving the reports. So for those who have, I'm interested to know how your experience has been.
Have you found the programs to be beneficial and useful overall? Do you get enough high-quality engagement to make up for the time taken up by junk reports? Is it feasible to do your own triage, or have you had to outsource that?
And most importantly: would you recommend that other organisations sign up to a bug bounty program, and if so, what advice would you give them?
2 comments
[ 3.3 ms ] story [ 18.0 ms ] threadIf I could recommend anything to an org trying to build out a bounty program it would be to invest in a robust triage system rather than building your own. While building your own might seem cost-effective, the long-term maintenance and updates can become a hassle and a good triage system streamlines the process so you can focus on fixing vulnerabilities.