bug-bounty
Safeguard articles tagged "bug-bounty" — guides, analysis, and best practices for software supply chain and application security.
16 articles
A practical guide to bug bounty hunting
HackerOne alone has paid hackers over $300M since 2012, but most new researchers earn nothing — duplicates, not skill gaps, are the top reason first reports fail.
What is Responsible Disclosure
What responsible disclosure means, how 45-90 day timelines work in practice, and how coordinated CVE reporting like Log4Shell actually played out.
What is a Vulnerability Disclosure Program
What a vulnerability disclosure program actually is, how it differs from a bug bounty, and what CISA, ISO, and the EU CRA now require of it.
PentesterLand and Other Security Research Feeds Worth Following
PentesterLand's weekly link roundup of write-ups, tools, and CTF material is one of the best-curated feeds in offensive security — here's what it covers and what else belongs in the same reading list.
Do Bug Bounties Actually Reduce Open Source Risk? An Inde...
Bug bounties didn't catch Log4Shell or the XZ Utils backdoor. An independent look at what OSS bounty programs actually cover — and where they structurally fall short.
Bounty Program Scoping for Dependencies
How to scope a bug bounty program when most of your attack surface lives in third-party dependencies — with guidance on payouts, triage, and upstream coordination.
2025 Bug Bounty Program Reforms: What Changed
From Microsoft's AI bounty expansion to the EU CRA's good-faith researcher protections, bug bounty rules of engagement shifted meaningfully in early 2025.
Scoping a Vulnerability Bounty Program for Supply Chain
How to scope a bug bounty program that addresses supply chain risks: in-scope assets, payout tiers, triage workflow, and avoiding the trap of dependency CVE bounties.
How to Write a Vulnerability Disclosure Policy Developers Respect
Most VDPs are lawyer documents nobody reads. Here is how to write one with real safe harbor, honest SLAs, and an intake path researchers will actually use.
Vulnerability Disclosure Policy Template
A practical template for creating a vulnerability disclosure policy, with guidance on safe harbor provisions, response timelines, and researcher relationships.
Open Source Vulnerability Rewards: Can Bug Bounties Save Open Source?
Google expanded its OSS vulnerability rewards program in 2023, paying researchers to find bugs in critical open source projects. It's a promising model, but not a silver bullet.
The Economics of Vulnerability Bounties: Who Wins and Who Loses
Bug bounty programs are a billion-dollar market. But the economics do not work equally well for everyone. A look at who benefits, who gets shortchanged, and what the numbers actually say.