This piece is the first in a series of three blog posts on bug bounty programs and what are some considerations to think about when investing in or launching the program. Bug bounty program delivery models range from self-managed input channels for receiving vulnerabilities, platform managed private programs with a small curated list of researchers, scope restricted and time boxed engagements to an all out public bug bounty program. The right delivery model for your company depends on the goals defined for the program, which can change over time and similarly vary from: Validating security posture of your product and your internal security team Augmenting breadth of internal penetration testing efforts Incentivizing and opening up a channel for receiving vulnerabilities Building trust with customers & prospects Enhancing the security perception of your company Leveraging the external visibility to improve internal time2fix metrics For “fear of missing out”, also commonly referred.