Bug bounty is a program that fosters collaboration amongst security professionals to help protect our customers’ personal information from malicious activity due to vulnerabilities against the networks, web and mobile applications and set security policies across organizations.
There are few questions that are always vague when running a bug bounty program ?
How much does bug bounty does actually cost ? How many resources do we need to allocate for this program ? How to plan and strategize bounties to priotize high risk items ? We are getting so many bugs but don’t have enough resources/developers to fix them !
That’s why I started this program called C2B (Cost 2 Business) to evaluate true cost to business of a bug bounty process. There is a associate cost even if a bug is valid or not. Because someone from security team needs to validate it. There is extra added cost with lack of proper information on scope of the bounty program.
Typically it would feel like we only paid bounty for the bugs we resolved. But there is an associated cost for all bugs that were marked as spam, duplicates, informative or non reprodicible.
True cost of a bug = Bug X (time to evaluate and remediate) which is irrespective of its state in general.