Bug bounty consulting.
Scope, payout structure, rules of engagement, and platform selection.
En qué ayudo
Prelanzamiento, alcance, pago, plataforma.
Evaluación de madurez
Whether you should run a bug bounty at all, or a VDP first. What needs cleaning up before you invite hackers — known issues, exposed staging, missing SBOM, weak RBAC.
Redacción del alcance
Asset list, in-scope categories, out-of-scope categories, account provisioning, test data. The scope document hackers actually read before they submit.
Estructura de pago
Severity bands tied to your business impact rather than a generic CVSS table. Reasonable minima for low/medium, real money for critical. Bonus structures for first-finder of new classes.
Transición VDP → BB
Already running a vulnerability disclosure programme? Move to paid bounty without breaking the trust you built with the researchers already submitting.
Selección de plataforma
HackerOne, Bugcrowd, Intigriti, interno.
HackerOne
Bugcrowd
Intigriti
In-house
No referral fees. No platform allegiance. The choice depends on your researcher mix (HackerOne for breadth, Intigriti for EU-resident researchers, Bugcrowd for managed depth), your compliance posture, and whether your legal team can stomach a US data-residency platform.
In-house is a real option once you exceed ~$20k/month in payouts — the platform fees start to matter. I have built one. The tradeoff is researcher trust: a fresh in-house programme starts at zero.
Entregable
Documentos de programa listos para usar.
Scope policy, payout table, safe-harbour clause, researcher rules of engagement, internal runbook, and a 90-day launch plan. Markdown and PDF. Your legal team gets a clean review pass before you publish anything researcher-facing.
¿Planeando un programa bug bounty?
Tell me your stage — pre-launch, scope rewrite, or platform switch — and I'll come back with a concrete plan.