Setting up a bug bounty programme in your organization
Rootconf For members

Setting up a bug bounty programme in your organization

Experiences from the industry



Organizations of various sizes have been putting together and hosting bug bounties over the years. Some of these are very popular - participants look forward to the event on their calendars. Others, not so much.

The “hit or miss” nature of these events are sometimes a deterrent for any new business thinking about hosting a bug bounty. And yet, it is somewhat easy to plan for success - using playbook-like approaches and strong ownership of the process.

Rootconf invited showrunners of some of the most successful bug bounties to share insights, secrets and tips which will help any business to get started with this approach. Blending talks, how-to’s and panel discussions - this is the one stop shop for how to “get started with bug bounties” that you were looking forward to.

Browse through the blog posts and videos to learn how organizations such as Flipkart, Razorpay and InVideo have thought about and implemented bug bounty programmes.

Participate in the conference to share your work and learn from peers.

About the editorial team

This knowledge repository (blog posts and videos) and conference have been curated by Anant Shrivastava - information security consultant; Shrutirupa Banerjiee, senior security researcher at Quick Heal and Editorial Assistant at Rootconf; and Sankarshan Mukhopadhyay, editor at Hasgeek.

Who should participate

  • InfoSec engineers
  • Appsec engineers
  • DevSecOps teams
  • Security engineers
  • Engineering managers
  • Engineering leadership in organizations

RSVP to participate, or purchase a subscription to access videos, and to support Rootconf’s community activities on

Code of Conduct: Hasgeek’s Code of Conduct applies to all participants and speakers at the meetups.

COVID protocols and masking policy for meetings held in-person: In keeping with COVID protocols, the following is applicable to all participants:

  1. Participants attending the meetups in person must keep their vaccination certificate handy. The venue may ask you to show your vaccination certificate as proof of being fully vaccinated.
  2. Wearing masks is optional.

Contact information: For queries about the meetups, contact Hasgeek at or call (91)7676332020.

Hosted by

Rootconf is a community-funded platform for activities and discussions on the following topics: Site Reliability Engineering (SRE). Infrastructure costs, including Cloud Costs - and optimization. Security - including Cloud Security. more

Shrutirupa Banerjiee

@shrutirupa Author

Why does your organization need a bug bounty programme?

Submitted Nov 16, 2022

With emerging technologies and advancements in security, threat actors are becoming more and more refined in their approach to attacking systems and infrastructure. It is now the new normal to read news about large enterprises becoming the target of ransomware attempts and data breaches with the haul from the latter being trafficked on websites hosted on the TOR network. It is necessary to acknowledge an axiom of information security which is that we can never expect an application or service to be fully secure or invulnerable to attacks. Risks exist without regard to the degree of processes and operational protocols that may be put in place by a business or an organization. And this is the reason why organizations of all sizes should attempt to be sufficiently well-prepared for the likelihood of any possible threat. As the saying goes, precaution is better than cure. It is a good practice to continuously monitor and evaluate the applications and the environment, not just internally but also externally.

What is required to implement a complete security infrastructure in an organization?

An organization’s security can be designed around two approaches

  • Using the resources available to an internal security to run checks and audits.
  • Complement the efforts of the in-house team with a structured program to include external experts, for e.g. external researchers. A bug bounty programme falls under this approach.

How will an organization benefit from a bug bounty programme?

A bug bounty programme is a pact offered by different organizations to individuals willing to find vulnerabilities in their applications and get rewarded (i.e., the bounty) for the same.

Since every individual has their own strategy for finding security issues, a vulnerability that may have been missed by an internal security team can be found by an external one. This helps an organization to be proactive and see value in creating programmes which attract a broader range of audiences for diverse expertise to cope with any threats that may arise in the future. Once a vulnerability is reported externally, the internal team will operate and get an understanding/framework of how this was generated. This will help the team to inspect a similar approach toward finding issues in the rest of the products or applications, thus enhancing the products’ security and further improving the organization’s Software Development Life Cycle (SDLC) policies. This approach around “shifting left” will help in the design and development of secure software in the future. This also makes the security team more prepared for such threats, and various remediation techniques that should be taken care of, further expanding the organization’s security aspects.

Is having a bug bounty programme enough for an organization?

Lack of awareness and knowledge of industry standards in security practices and assessments may make your organization susceptible to various cyber threats. Of course, it is nearly impossible to avoid any security risk. However, having a bug bounty programme in your organization reduces the chances of possible threats. Thus, while holding a bug bounty program is not imperative, it nevertheless good for an internal security team to always be in place.


  1. View the slides from Karan Arora’s talk here.


{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}

Hosted by

Rootconf is a community-funded platform for activities and discussions on the following topics: Site Reliability Engineering (SRE). Infrastructure costs, including Cloud Costs - and optimization. Security - including Cloud Security. more