Framework

  • Chapter 4: Scope and Budget

    Date: September 7, 2021 Authors: Anil Dewan, Annika Erickson, Katie Trimble-Noble, Christopher Robinson, Deana Shick Introduction By now, we hope that you have read Chapters 1, 2, and 3, and are ready to begin scoping and budgeting your Bug Bounty program. If you haven’t read those chapters and are new to Bug Bounty, we encourage you to doContinue…


  • Chapter 3: Charter Your Program & Set Strategic Objectives

    Date: July 28, 2021 Authors: Anil Dewan, Annika Erickson, Katie Trimble-Noble, Deana Shick Overview If you have stumbled upon this Chapter of the Bug Bounty Framework, you may have decided that a Bug Bounty program fits your needs . Creating a program charter and defining your strategic objectives are important steps in defining why your Bug Bounty programContinue…


  • Chapter 2: Is a Bug Bounty Program Right for You?

    Date: June 23, 2021 Authors: Sean Poris, Johnathan Kuskos, Josh Dembling, Katie Trimble-Noble, Deana Shick, Christopher Robinson Overview By now, you have read Chapter 1, and you may be wondering if a Bug Bounty program is right for your organization. You might be intrigued by the idea of interacting with researchers, and wondering about theContinue…


  • Chapter 1: What is a Bug Bounty Program?

    Date: May 4, 2021 Authors: Deana Shick, Johnathan Kuskos and Kathleen Trimble-Noble Overview  Bug Bounty programs (or, “Bug Bounties”) have quickly become a mainstay in many security programs. Bug Bounties encourage reporters (including vulnerability finders, researchers, ethical hackers, and so on) to submit vulnerabilities to an organization for rewards. This chapter covers the basics ofContinue…


  • Announcing the Bug Bounty Framework: Demystifying Bug Bounty Programs

    Date: May 4, 2021 Our Bug Bounty Community of Interest (BB COI) has been hard at work this year discussing the challenging problems many Bug Bounty programs (BBP) face, potentially including Vulnerability Disclosure Programs (VDP). Throughout our conversations and research, we noticed that there is little comprehensive guidance covering the Bug Bounty space. In anContinue…