What is a bug bounty?
A bug bounty is a public (or private) program where you pay security researchers for reporting vulnerabilities. Typical payouts range from $100 for low-severity bugs to $50K+ for critical ones. Most startups don't need one until after SOC 2 Type 1.
Bug bounties formalize what used to be ad-hoc 'I found a bug in your site' emails. Platforms: HackerOne, Bugcrowd, Intigriti, YesWeHack, or self-hosted.
When to start one: - After SOC 2 Type 1 (you're ready for external attention) - Before any large-scale marketing push (attackers will probe regardless) - When you've exhausted internal security capacity
Structure: - **Scope**: which properties + which bug classes are in-scope - **Rewards table**: payout by severity (e.g., $500 low / $2K medium / $8K high / $25K critical) - **Rules**: no social engineering, no DoS, no accessing other users' data beyond proof - **Safe harbor**: legal protection for good-faith researchers
Budget: expect to pay $5K-$50K/year for serious reports, plus platform fees ($500-$5K/month). The ROI: you fix bugs before attackers exploit them. A single critical disclosure blocked pre-exploit is worth the annual budget.
Most early-stage startups start invite-only (small curated group of researchers) and scale to public over 12-24 months.