This IDC study explains how to create a bug bounty program that enables the program sponsor to gain from the collective experience of a large community of security professionals. The reality is that unsanctioned grey hat and black hat hackers exist and will probe your organization's security whether you like it or not. Their incentives might be financial gain, publicity, or pure curiosity. By creating a bug bounty program, you provide these individuals with the opportunity to channel their exploration into a sanctioned effort that provides you with a structured opportunity to review, remediate, and respond to vulnerability reports.
"Bug bounty programs incentivize security researchers to test your systems for weaknesses and then provide you with an opportunity to fix the problems and strengthen your defenses," says Mike Chapple, adjunct analyst with IDC's IT Executive Programs (IEP). "These programs allow you to benefit from the collective thinking of a large community of security professionals. You'll have more minds focused on your security posture than you could ever hire as employees or consultants."