A bug bounty program for a company should be like a sandwich for Russ Duritz: “There’s safety in sandwiches”. Having a bug bounty program will allow your company to know more about the threats that might have been exposed publicly without you knowing it. Because these threats will be safely reported, the company will have time to solve them and, at the same time, you give appreciation to security researchers by either allowing them to disclose the vulnerability, reward them with cash or both.

In this talk I’m going to show you how DocuSign set up its bug bounty program with Bugcrowd, what sets DocuSign's program apart from others, what are different ways to structure a bug bounty program and some hints and tips learned from the trenches.