What is the pattern that can be expected after going public with a bug bounty program?

You asked, and we answered.

At Intigriti, we’ve been paying close attention to the questions most frequently asked by those with a bug bounty program in place. That’s why we’ve launched this blog series dedicated to answering the most asked questions, diving into hot topics, and sharing practical and expert-backed strategies to help you maximize your bug bounty success.

In today’s blog, we take a look at what will likely occur after going public with your bug bounty program, so you have a good idea of what to expect and how to set your team up for success.

Phase 1: spike in submissions

This might be the start of your bug bounty journey, or perhaps you have already had a private program in place. Either way, going public will create a chain of events, usually starting with a spike in submissions.

During the first one to two months of making a bug bounty program public, it is common to see a spike in submissions as an immediate influx of researchers test your environment.

'When you set up a public bug bounty program on the platform, you’ll instantly have access to a global community of crowdsourced ethical hackers.' – What is continuous security testing?

While some of these submissions will be valid, expect a sharp rise in duplicates as more researchers pile in. You can expect multiple reports on the same vulnerabilities, as well as low-value submissions identifying common vulnerabilities, which can be quick wins but don’t offer long-term insights.

But don’t fret, this is where triage comes in, so that your team only looks at relevant submissions validated by our team of experts before ever hitting your desk, taking away what can be overwhelming amounts of duplicates or false submissions.

'When considering whether you need triage services, think about the impact for your security team if you could: Remove time spent on validating submissions, filtering out duplicates, and ranking vulnerabilities by severity.' -The not-so-secret hack to impactful programs

Phase 2: stabilization

Typically, at around three months, low-hanging fruit has been reported, and the volume of submissions begins to decrease. But while the quantity drops, the quality often increases as less skilled researchers may leave the program after reporting on the easier-to-find bugs, while higher-skilled researchers generally continue engaging with the program, looking for more complex and high-severity bugs.

“Having a strong and seamless triage process in place is vital for keeping our community happy and engaged, bringing a continuous stream of new and emerging hacking talent.” – The not-so-secret hack to impactful programs

Phase 3: long-term engagement

From around six months onwards, the program becomes part of your ongoing security posture. If the scope is right and the bounty reward is correctly set, researchers will want to stay engaged.

What’s important now is to build lasting relationships based on respect, responsiveness, and fair rewards.

'This approach benefits both the ethical hackers … and our customers.'- Optimising Bug Bounty Success

If you have gotten to stage three and are not seeing the engagement you are after, look out for our upcoming blogs on

• How to attract security researchers to test on my bug bounty program?

• How can I get more submissions and higher-severity findings?

• How do I know researchers are testing assets if I'm not getting submissions? 

Next steps to enhance your bug bounty journey

For more information on any of the points made in this article, contact the team today.

And keep an eye out for our next blog, where we dissect another popular question posed to our team!

Interested in a particular topic? Send us the questions you’d love to get answers to by emailing pr@intigriti.com