looking for your experience and knowledge on how you or your company handles Bug Bounty requests from those claiming to have found vulnerabilities on your company website.
Do you have an established Bug Bounty program?
What does your program include?
How do you engaged with the reporter?
How do you verify their identity and their legitimacy?
What is the payment or reward for verified vulnerabilities?
Interested in what has worked and what has not worked.
I've worked at two companies that have had their own bug bounty programs (full disclosure: each on their own platform).
If you want to receive vulnerabilities, you should be able to respond very rapidly and politely every single time. If you can't treat every incoming report as your most important job that day, a reporter may take offense. Every researcher should get professional treatment respecting their kind contribution. The two major models are do it yourself and have someone do it for you.
I am personally happy to assist in any way, and can be reached at firstname.lastname@example.org.
If I say much more, I will sound like an annoying vendor engaged in self-promotion.
Thank you very much for your response. I'll take what you've shared into consideration as we develop our strategies.
It is really depends on the budget and time you have.
To sum up- Bug Bounty process should be addition to your company's vulnerability management program, but with mature VM program you wont really need a Bug Bounty.
And you dont really need the whole program for that- only process.
The key idea is to make sure that bug reported is reviewed by applicable sec team (with dev team if applicable).
And scanning for vulnerabilities/bugs are performed periodically- by internal and/or external parties.
Dont deal with unknown "bug reporters". It is much cheaper to hire well known sec company which will use their tools and skills to check you stuff otta there. Or, get own expertise.
Doesn't a "Bug Bounty" concept (potentially) encourage ransomware?