Bug bounties anyone?

Do you have a bug bounty program for your SaaS? What are your typical rewards and practices?

I’ve been contacted by a security researcher form Asia, who found a number of vulnerabilities in my SaaS, pretty ugly ones (a hacker can delete - but not read - other users data) so I fixed those and I’m willing to pay him a reward. Not sure what the number should be. He asked for $3k but that’s too much for our small bootstrapped company, I’m trying to negotiate him down… So I’m trying to understand the typical reward scale. I understand companies like Facebook/Instagram/etc pay at a scale of “thousands”, but this number looks too big for smaller self-funded companies…

So, any thoughts/experience on this would be appreciated. Thanks!

1 Like

No experience with this, but there was a post a looooooonnnggg time ago, about how someone’s company was placed on one of bounty lists (without his permission), and he started getting hundreds of issues a day, mostly small css problems that were not a security threat.

He was angry and asked to be removed, but by then other lists had his company’s email, which meant more spam.

So I would be careful about this. There are specialised companies that test security of your software. Is there a reason you can’t hire them, rather than depending on random strangers?

Edit: Here is the link I was talking about Security strategy

1 Like

IIRC, this podcast discussed bug bounties as a very cost effective way to find problems with a site: http://shoptalkshow.com/episodes/250-web-security-april-king-alex-sexton/