Today companies face a huge challenge of protecting customer data and respecting user privacy. Everyday more and more data is being collected in many ways and it's very important to step back and understand what we are collecting, if we really need it and how to better protect it.
A bug bounty program is a program where companies reward independent individuals for reporting bugs and vulnerabilities. This is a great way to compensate people for their hard work and to make your product and company more secure.
A couple of months ago we added a simple bug bounty message to our (Security Page:
FunRetro will give recognition and compensation for people reporting bugs and issues, especially those pertaining to exploits and vulnerabilities. To report bugs please send an email to email@example.com.
Bug bounty programs are becoming more and more popular, and they are a cheaper and better alternative to traditional penetration tests. HackerOne is a big part of it and the biggest platform out there.
Since we created it, more than 5 independent security experts already sent us emails reporting more than 17 vulnerabilities (from low to high). We already fixed most of those.
Tips do create a successful Bug Bounty program:
Create an email specific to report security issues. For example: firstname.lastname@example.org
Think about how much you are going to give for low, medium and high severity issues. You can take a look on this page to understand better the categories: Categories Vulnerabilities. If you are a new startup with no investiments, you can start with low tickets and work out what works best for you. But remember that it's important to compensate people for their hard work.
Try to solve all issues as soon as they are reported. It's very important to do it to keep your product secure.
Create a page to display a hall of fame of individuals that helped you. This helps to keep your company transparent and to attrack more people to help you. You can take a look at our page here: FunRetro Bug Bounty.