Thinking about launching a vulnerability disclosure or bug bounty program and not sure where to start? Do you use a bug bounty platform or self-host; hire a 3rd party service provider or run things yourself? What should your program rules contain, and how should you engage your legal team? How much should you reward, and how do you pay researchers? How do you build partnerships with engineering teams and what do long product release cycles mean? There are lots of things to consider when planning a bounty program, and we’ll give you an actionable punch list of operational decisions to go through to ensure you’re set up for success!