Bug bounty consulting.
Scope, payout structure, rules of engagement, and platform selection.
Où j’aide
Pré-lancement, périmètre, paiement, plateforme.
Évaluation de maturité
Whether you should run a bug bounty at all, or a VDP first. What needs cleaning up before you invite hackers — known issues, exposed staging, missing SBOM, weak RBAC.
Rédaction du périmètre
Asset list, in-scope categories, out-of-scope categories, account provisioning, test data. The scope document hackers actually read before they submit.
Structure de paiement
Severity bands tied to your business impact rather than a generic CVSS table. Reasonable minima for low/medium, real money for critical. Bonus structures for first-finder of new classes.
Transition VDP → BB
Already running a vulnerability disclosure programme? Move to paid bounty without breaking the trust you built with the researchers already submitting.
Choix de plateforme
HackerOne, Bugcrowd, Intigriti, en interne.
HackerOne
Bugcrowd
Intigriti
In-house
No referral fees. No platform allegiance. The choice depends on your researcher mix (HackerOne for breadth, Intigriti for EU-resident researchers, Bugcrowd for managed depth), your compliance posture, and whether your legal team can stomach a US data-residency platform.
In-house is a real option once you exceed ~$20k/month in payouts — the platform fees start to matter. I have built one. The tradeoff is researcher trust: a fresh in-house programme starts at zero.
Livrable
Documents de programme prêts à livrer.
Scope policy, payout table, safe-harbour clause, researcher rules of engagement, internal runbook, and a 90-day launch plan. Markdown and PDF. Your legal team gets a clean review pass before you publish anything researcher-facing.
Vous planifiez un programme bug bounty ?
Tell me your stage — pre-launch, scope rewrite, or platform switch — and I'll come back with a concrete plan.