This piece is the second in a series of three blog posts on bug bounty programs and what are some considerations to think about when investing in or launching the program. In my last post, I discussed the benefits of experimenting with a private bug bounty program before launching a public bounty. Today I’ll share which teams you should involve in the decision and program, as well as a few additional considerations. Get buy-in from the engineering teams: For security teams that don’t fix bugs, it is crucial that engineering teams are on board with the proposed launch. Typically, there is an onslaught of submissions in the initial weeks after a launch before the counts start tapering off. Difficult to believe for security teams, but developers also have their own priorities and it is not only fixing bugs. Engineering teams need to be on-board and aware of the potential.