Skip to main content
Application Security, From The CEO, Company Resources

Bug Bounty Programs — Why Should I Care?

Bug Bounty Programs — Why Should I Care?

Why should I care about bug bounty programs?

Every digital company has software vulnerabilities, and they get expensive in case of a breach. The cost of rebuilding trust with customers when a breach has already occurred can be immeasurable. The best time to focus on this is when nothing has yet happened. 

Traditional methods of finding vulnerabilities are slow and costly. Bug bounty programs have been shown to find vulns quickly, broadly and deeply. This is thanks to unbiased testing from the outside by a skilled community of security researchers and ethical hackers. The cost per bug found is much lower than with pentesting and dynamic scanners. Adding to the good results is the fact that hackers get paid only for bugs found, not for just trying to find.

What do I need to know?

The model for bug bounty programs was perfected by Microsoft, Google and Facebook. They run the biggest programs in the world. HackerOne uses the sharing economy model to make the same benefits and the same vetted hackers available to all. In this model, security experts all over the world can pool their resources to be able to help you make your software more secure.

Is my company ready for this?

To be able to run a successful program, you need top leadership to believe in finding and fixing software vulnerabilities, an Engineering organization that is tasked with prioritizing severe bugs, and a Security person to coordinate with HackerOne. That’s it.

Who else is doing this?

AirBnB, Twitter, Slack, Snapchat, Square, Uber, Riot Games, Salesforce, Shopify, Github, Qualcomm, Intel, Microsoft Research, GM, Lufthansa, the US Department of Defense, and over 800 more.

The Economist Bug Bounty Recommendation


How much will it cost?

If you are a startup or small company, an initial budget of $10-20 thousand will make a positive security impact on your software. On-going programs cost tens to hundreds of thousands a year, depending on size. The biggest program in the world (Google’s) spends over $3 million on bounties annually. The average bounty is about $500. Finders get paid only for valid results, not for just trying. For that reason, costs grow only with results. If a company is spending more, it is because they are finding more.

Can we take baby steps?

At HackerOne we have made sure that you can start benefiting quickly, yet as cautiously as you like and without a long-term commitment. In the beginning we recommend a limited program. Limit the program scope to just one part of your web property or mobile app. Pick a fixed duration for the first program. Run it as a private program with a select set of hackers invited. You can expand later.

To reduce the burden on your team, HackerOne can manage the entire program for you. You will get a validated list of vulnerabilities for your engineering team to fix. Integration with JIRA allows the information to flow automatically.

How do I get started?

We’ll ask you a few questions to determine your readiness and recommend a stepwise approach based on that. Click here to get going. Or copy the link of this web page and send it to someone who needs to know about hacker-powered security.

Through our service, over 44,000 software vulnerabilities have been found and fixed so far. There are many more that still need to be found before we can state that the internet is secure. Get your program going now. You will sleep much better once you activate this neighborhood watch for your software.

Marten Mickos

HackerOne CEO


P.S. If you are already familiar with bug bounty programs, vulnerability disclosure, and HackerOne, then here is my summary of what’s new in the early part of 2017: