Lessons learned from public bug bounties programmes

Track: Misc
When: Mon PM-2
Where: Owasp Projects
Organizers Stu Hirst Stu Hirst
Participants Prakash Sharma Prakash Sharma , John Killilea John Killilea , Alex Chapman Alex Chapman , Chris Allen Chris Allen , Gabor Pek Gabor Pek , Simon Pavillon Simon Pavillon , Stu Hirst Stu Hirst
Remote Participants Arushit Mudgal Arushit Mudgal , Ashraf Iftekhar Ashraf Iftekhar , James Osborn James Osborn , Pascal Schulz Pascal Schulz , Prakash Sharma Prakash Sharma

A bug bounty program is a crowdsourcing initiative offering compensations for discovery and responsible disclosure of potential security vulnerabilities. Many organizations offer compenstations in terms of cash or goodies while others only offer acknolwedgements. Bug bounties are commonly seen as the most effective and inexpensive way to identify vulnerabilities in live systems and products.


While bug bounties are seen as a lucrative way to make quick money for researchers, it’s equally seen as an effective and inexpensive way to perform security audit for vendors/organizations. This session seeks to help both parties leverage their knowledge and experience to learn and understand each other and grow in a collaborative way, sharing ideas and experience to further improve the security industry and people in it.


  • What is required to kick off a bug bounty? Considerations/implications/inputs
  • Top 10 lessons that people have learned
  • How to improve bug bounty programmes
  • How to anticipate and therefore avoid problems
  • How to responsibly disclose potential security vulnerabilities


  • List of top 10 lessons from bug bounty experts
  • Guidelines on improving bug bounty programmes


The target audiences for this Working Session are:

  • People who have participated in or managed bug bounties in the past
  • People who want to run bug bounties in the future
  • Companies who provide these services

Working materials

  • Draft list of top 10 lessons from bug bounty experts
  • Draft guidelines on improving bug bounty programmes
  • Please add as much information as possible before the sessions

Previous Summit Working Session


Register as participant

To register as participant add Lessons learned from public bug bounties programmes to either:

  1. the sessions metadata field from your participant's page (find your participant page and look for the edit link).
  2. or the participants metadata field from this git session page

Back to list of all Working Sessions