
Ask HN: Should an early stage startup pay for a bug bounty platform (HackerOne)? - throwaway29348
Our product stores personal information like bank account details and ID uploads so we&#x27;re worried about an eventual data leak. While we think we&#x27;re storing everything securely, a data leak would be disastrous given the kind of data we are storing.<p>We looked into a platform like HackerOne but were quoted 60-70K per year to run a bug bounty program. Since we&#x27;re new and our profits are still small, our budget is closer to 10% of that.<p>What are our options for a security audit? Is this even something worth pursuing when we&#x27;re still deciding whether we have product-market fit?
======
mtmail
Add yourself to the
[https://hackerone.com/directory/programs](https://hackerone.com/directory/programs),
that's free afaik. You won't get the 'managed' badge. And have a bug-bounty
page on your website. There are specialized search engines looking for those.
Add a [https://securitytxt.org/](https://securitytxt.org/) if you haven't
already.

I know a startup listed there and they get regularly approached by security
researchers. Some only run generic test suites, e.g. port scans, if signing up
with unicode usernames causes errors, cross-side scripting, but it will still
be valuable. And a cross-side scripting bug has bounties of 100 USD or less.

Via a recent Show HN submission I got a security scan by
[https://www.cybersenshi.com/](https://www.cybersenshi.com/) which I think was
comprehensive.

------
TheCrott
Security audit can be expensive depends on size and app complexity. From what
I saw, it starts from $3k

I think it's better to make a 1 page to put details scope, rewards, etc. Here
is good example
[https://bugbounty.linecorp.com/en/](https://bugbounty.linecorp.com/en/)

------
detaro
Invest into having a functional process to receive and handle security
reports, and having the appropriate information published first. That's way
more important than having an account with some bounty platform.

And bounty platforms aren't a security audit. If you want an audit, buy an
audit by someone who gets access to your code and can review your internal
setup.

