Bounty or Bug Programs: A How-To Guide

Data security officers typically look for security risks by monitoring reports from automated security systems, listening to employees’ reports of security issues, and/or auditing IT systems. There is a great deal of debate, however, about the merits of listening to the security concerns of people outside of an organization. On one end of the spectrum, some organizations refuse to discuss any aspect of their security with the public. On the other end of the spectrum, organizations proactively encourage the public to report security vulnerabilities by paying well-meaning hackers (usually called “white hat hackers” or “independent researchers”) to report problems. …

bounty