
Ask HN: Should I offer a security bug bounty for my SAAS app? - hoodoof
I&#x27;m concerned about security.<p>Would it help to make it more secure if I offered say a $1,000 security bug bounty?<p>Is there a &quot;wrong way&quot; and a &quot;right way&quot; to offer security bug bounties?  Are there pitfalls to be avoided?
======
ejcx
I report a lot of bugs and I am not a fan of hacker one or bugcrowd. I also
triage bugs through h1 sometimes at work and I really don't enjoy the quality
of bugs or the platform.

If you are a smallish company my advice is to have a security page and a
specific security contact with a corresponding gpg key, offer smallish reward,
and respond quickly. 100 is plenty, even though a lot of people will disagree
with me and it's way way better than most.

------
spydum
Setting up a bug bounty may send more work your way than you expect. Nothing
worse than offering bounties, getting submissions, and not having the
resources to investigate and fix. I still think they can be a great idea, just
be careful to support it (you really don't want a bunch of angry hackers
waiting 90 days to get a response to the RCE exploit they found on your
app...).

------
mtmail
Great to see you're willing to spend money on bounties.

[https://hackerone.com/resources](https://hackerone.com/resources) is
advertising for their service but a good introduction on how to run a bug
bounty program. Maybe using them also solves the marketing issue (how to tell
security hackers that you have bug bounty program in the first place?)

------
teenageSec
Even if you don't have the budget for a cash bounty, offering up some amount
of free swag (e.g. t-shirts) is a cheap but effective way of attracting
researchers. Great example of this is CloudFlare's bounty which is a pretty
cool t-shirt and a 1 year subscription.

