Internal Bug Bounties Programmes

Most companies are not ready to do public bug bounties because they don’t have the workflows, or they have too many vulnerabilities, or they don’t have enough processes in place. To circumvent this problem, some companies run internal bug bounties. Internal bug bounties can be managed by some of the bug bounty services, or they can be managed by external, private bug bounty companies. An internal bug bounty is a good first step towards running a public bug bounty.


This Working Session aims to leverage the knowledge of those who have experience in internal bug bounties. The session will create a playbook that sets out the steps, and creates a workflow for an internal bug bounty. Anyone who wants to run a bug bounty will leave the session knowing what to do next.


  • How to make an internal bug bounty work
  • What to expect
  • Who to contact
  • What funds will I need to allocate?
  • What are the governance issues?
  • What are the risks?
  • What commercial companies can run a bug bounty?


The target audience for this Working Session is:

  • People who have participated in or managed bug bounties in the past
  • People who want to run bug bounties in the future
  • Developer teams

Back to list of all Working Sessions and Tracks

Edit this page here