Why (not) use a Bug Bounty platform?
Pros and cons for companies
|Initial Triage is done by the bug bounty platform
staff. Triaging is the process of compiling vulnerability
reports, verifying them, and communicating
|Bug bounty platforms are not cheap. It is a
real possibility that you pay more to the
platform than you would pay to security
researchers (your primary audience).
|The level of metrics/reports depend on individual
platforms. All major bug bounty platforms have a
feature to get metrics/reports.
|Noise. Not only the best, but also starters
are on the platforms.
|Integrations wth issue tracking, notification
systems and platforms (Jira, Slack etc). Depending.
Not all platforms provide integrations out of the box.
|All major bug bounty platforms provide different
levels of RBAC, like editor, administrator, read-only
etcetera. The principle of least-privilege.
|Because thousands of researchers are already on
the bug bounty platforms looking for programs to find
vulnerabilities in, you get access to these researchers.
|Most of the major platforms assign customers a
success manager. They will help with scope
adjustments, platform features, filtering of researchers,
bounty pay-outs, etc.
Pros and cons for hunters
|Transparency into a company’s process: disclosed
reports, metrics about the programs’ triage rates,
payout amounts, and response times.
|Triagers, third-party employees often not familiar
with all the security details about a company's
product, may handle reports improperly
(a common complaint).
|No worries about the logistics of emailing security
teams, following up on reports, and providing
payment and tax info every time you
submit a vulnerability report.
|Programs on platforms break the connection
between hackers and developers. With a direct
program, you can discuss the vulnerability
with a company’s security engineers.
|They can step in to provide conflict resolution and
legal protection as a third party.
|If you submit a report to a non-platform program,
you have no recourse in the final bounty decision.
|You can’t always expect companies to pay up or
resolve reports in the current state of the industry.
The hacker-to-hacker feedback system that
platforms provide is helpful.
|You may get a T-shirt you already have.|
|Public programs on bug bounty platforms are often
crowded, because the platform gives them extra
exposure. Many privately hosted programs do not
get as much attention from hackers and are thus
|And for the many companies that do not contract
with bug bounty platforms, you have no choice
but to go off platforms if you want
to participate in their programs.
Not either/or, both then.