It seems every time I talk to someone about their security program they say they want to start a bounty. As I discuss further I find their security program is largely based on hopes and prayers and not anything roughly approximating a planful “program”.
2
8
2
17
Replying to @rmhrisk @ivanristic
Bug bounty programs are for refining a mature SDLC, it’s the feedback loop that identifies (hopefully small) gaps. Running a BB against an immature or non-existent SDLC means whack-a-mole with thousands of submissions; it’s costly and doesn’t solve gaps.

Dec 29, 2018 · 9:13 AM UTC

1
3
Replying to @bilcorry @rmhrisk @ivanristic
Agreed, and costly is an understatement. The initial wave that hits from starting a bug bounty usually requires a full time head who can effectively triage issues and run things down (which is quite $$$). For a lot of orgs it’s silly overkill.
1