The bug bounty program landscape has undergone significant evolution in the last few years. Organizations of varying sizes and across industries commonly invest in some form of bug bounty model as the available options become more diverse, customizable, and affordable.
With humble origins dating back to the mid-90s, bug bounty programs are agreements typically offered by businesses in which publicly or privately invited ethical hackers may receive recognition and compensation for finding and reporting security vulnerabilities. The chief goal of a bug bounty program is to discover and fix these vulnerabilities before they become common knowledge or are maliciously exploited by cybercriminals.
By investing in a bug bounty program, organizations can significantly expand their security workforces, explains Sean Poris, Verizon Media’s director of product security. “This naturally builds a large worldwide network of researchers working together on your program and establishes a sense of community amongst the researchers and your employees. The talent level and techniques of some hackers are incredible and can yield some creative, impressive findings to allow your organization to increase its security posture.”
However, due to proliferation and maturity within the bug bounty market, embarking on and maintaining a successful bug bounty program is becoming a more complex, nuanced exercise for organizations. As a result, businesses need to answer these five key questions to ensure investment in a bug bounty program is realistic and beneficial.
1. Will you manage it internally or outsource some or all of the process?
Original article source was posted here