Learnings from a 2 years security bug bounty program

I will share learnings after running a security bug bounty program for 2 years.

A security bug bounty program refers to collaborative agreement where white hat hackers search for vulnerabilities in your software/platform, report the vulnerabilities to you and in return you pay a bounty reward.

Trustpilot, the company I work for, started such a program 2 years ago, motivated to enhance the security of it’s products. There are many unknowns and many questions before starting and while running such a program, like:

-“How to decide what’s in the scope of testing for vulnerabilities?”

-“How to decide the value of the bounties paid?”

-“How to integrate it in our existing engineering practices?”

-And a bonus one: “How to make our program appealing for hackers?”

We had all these questions and many more and now we are ready to share our learnings and our approaches. Learn about:

-the prerequisites needed to start such a program,

-main challenges,

-resources needed,

-success factors,

-relevant metrics,

-awareness and engagement among Engineers and other parties involved,

-establishing engagement among hackers.


More Related Sessions


Two-Day Tutorial (12-hour Workshop)

9:00 a.m. – 5:00 p.m.

Web & Mobile Security Testing - Mindset to Skillset

Equipment required

45-minute Keynote

1:30 p.m. – 2:15 p.m.

Most of the code is garbage on this planet. Let's see why?

Equipment required

30-minute New Voice Talk

2:30 p.m. – 3:00 p.m.

Security Tooling in Your DevOps Pipeline

30-minute Talk

3:30 p.m. – 4:00 p.m.

Keep Calm and Turn Your Proxy On

Your privacy matters

We use cookies to understand how you use our site and to give you the best experience on our website. If you continue to use this site we will assume that you are happy with it and accept our use of cookies and Privacy Policy.