Some organizations can get creative when extending rewards to researchers, particularly when cash is not abundant or top management frowns on spending significant sums on outsiders. “It could be financial,” Josh Jacobson, director of professional services at HackerOne, tells CSO. “Or there could be some swag that blurs the lines a little bit. The first program that I ran for United Airlines paid out in miles. We paid out one million miles for a critical vulnerability, which was extremely popular. So, it doesn’t have to be just dollars and cents.”
Jacobson advises organizations to get creative if their budgets are constrained. “It’s helpful if you lean into what your organization has, especially when awarding a lot of money. CFOs start to get a little nervous sometimes.”
Wade Lance, field CISO at Synack, tells CSO: “Responsible organizations are looking for ways to discover vulnerabilities economically. So, you do your internal pen testing, but then externally, you say, ‘Hey, rather than just finding out by getting attacked, I’d much rather have a bug bounty program. And if someone out there discovers a vulnerability, I’d be happy to slide just some money to pay for your time and effort.’ It leverages community-based testing, which is super valuable.”
