4 Bug Bounty Myths DispelledHackerOne's Laurie Mercer Takes Down Common Misconceptions
Bug bounty myths: All such programs must be public, run nonstop, pay cash to bug-spotters and allow anyone to join.
See Also: The State of Integrated Risk Management
Laurie Mercer, a security engineer at HackerOne, says that, in fact, bug bounty and vulnerability disclosure programs are often run as private, invitation-only and time-limited endeavors. In addition, while the average program reward is $600 for finding a significant bug, sometimes simply publicly thanking bug hunters or offering cool swag can suffice as rewards.
In a video interview at the recent Infosecurity Europe conference, Mercer discusses:
- Bug bounty program common misconceptions and best practices;
- The emergence of bug bounty millionaire ethical hackers;
- Better integration with the software development life cycle.
Mercer is a security engineer at HackerOne. His primary focus is on responsible disclosure, vulnerability management and risk reduction for organizations of all sizes and security maturity levels. He's worked with customers as diverse as Queen Elizabeth II and the Chinese government in various roles involving software, security and education.