Are you subscribed to a Bug Bounty programme/service?  We are considering but wondering if benefits will exceed cost/extra noise.

Security Strategy & RoadmapVendor/Product Recommendation
670 viewscircle icon2 Comments
Sort by:
CISO in Softwarea month ago

Yes, it is really a best practice but you have a good scope, plan and desired goals.  Do not open broadly without constraints.

Group Director of Information Security in Banking2 months ago

Subscribing to a bug bounty program is a MUST for every organisation is any of the below is valid for you:
a. You have a customer facing application that undertakes e-commerce/financial transactions that account for over 10% of the revenue generation.
b. You do not have an in-house team of at least 3 FTE penetration testers.
c. Your applications are API intensive and your information security team members are NOT from the background of application development.
d. You have outsourced application development process and do not have absolute control over application development environment where new features are getting added within applications at frequent intervals.
Good bugbounty service providers reduce a lot of noise but you need an inhouse resource dedicated for its management.
ATB

Content you might like

I'm looking to go for the Certified CISO certification & training as I'm an aspiring CISO. Any recommendations and additional certifications that I should be doing along with that? I already have CISSP. 

Read More Comments

AI deepfakes have cost the industry over $200M this year. As CISOs, can we scale detection fast enough, or is regulatory pressure the only way to drive adoption?

Should public companies be required to have at least one board member with cyber experience?

Yes69%

No21%

It depends on the size/industry9%

I’m not sure…

View Results

If you’ve worked with mobile applications and have experience scanning code, either for vulnerabilities or to ensure best practices, what tools or solutions would you recommend for iOS and Android platforms?

Do you currently have dedicated employees for offensive security (red teaming, pentesting, etc)?

Yes, one dedicated employee5%

Yes, multiple dedicated employees64%

No, but offensive security is covered by one or more employees as part of their role14%

No — we don’t handle offensive security internally14%

Other/don’t know5%

View Results