Bug bounty consulting.
Scope, payout structure, rules of engagement, and platform selection.
Wo ich helfe
Vor dem Launch, Scope, Auszahlung, Plattform.
Reifegrad-Analyse
Whether you should run a bug bounty at all, or a VDP first. What needs cleaning up before you invite hackers — known issues, exposed staging, missing SBOM, weak RBAC.
Scope-Dokument
Asset list, in-scope categories, out-of-scope categories, account provisioning, test data. The scope document hackers actually read before they submit.
Auszahlungsstruktur
Severity bands tied to your business impact rather than a generic CVSS table. Reasonable minima for low/medium, real money for critical. Bonus structures for first-finder of new classes.
Übergang von VDP zu Bug-Bounty
Already running a vulnerability disclosure programme? Move to paid bounty without breaking the trust you built with the researchers already submitting.
Plattform-Auswahl
HackerOne, Bugcrowd, Intigriti, intern.
HackerOne
Bugcrowd
Intigriti
In-house
No referral fees. No platform allegiance. The choice depends on your researcher mix (HackerOne for breadth, Intigriti for EU-resident researchers, Bugcrowd for managed depth), your compliance posture, and whether your legal team can stomach a US data-residency platform.
In-house is a real option once you exceed ~$20k/month in payouts — the platform fees start to matter. I have built one. The tradeoff is researcher trust: a fresh in-house programme starts at zero.
Ergebnis
Programm-Dokumente, die du sofort einsetzen kannst.
Scope policy, payout table, safe-harbour clause, researcher rules of engagement, internal runbook, and a 90-day launch plan. Markdown and PDF. Your legal team gets a clean review pass before you publish anything researcher-facing.
Bug-Bounty-Programm in Planung?
Tell me your stage — pre-launch, scope rewrite, or platform switch — and I'll come back with a concrete plan.