Announcing the External Penetration Testing program pack 1.0

Announcing the Bug Bounty program pack 1.0


I have participated in, and built bug bounty programs at companies such as PayPal and Box and supported similar programs at several other companies. Below is part of a whiteboard session from 2012, conducted before launching PayPal's bug bounty program, where we were determining payout amounts and the logistics of compensating researchers.

Bug bounty paypal

At that time bug bounty providers like Bugcrowd or HackerOne, were just starting and unknown, so we had to manage all the details ourselves. We consulted with Google and Mozilla to understand the logistics of running a program, as it was relatively new and not much information was publicly available. Establishing a bug bounty program involves considerable effort and careful thought. There are numerous considerations beyond selecting a provider, many of which are often overlooked in public documentation. The goal of the Bug Bounty Program pack is to help people quickly ramp up on the topic, providing them with the necessary information to begin their journey and ultimately launch a program.

- Robert Auger (@robertauger)

Bug Bounty Program Release Pack 1.0

I'm pleased to announce our third release, the Bug Bounty Program release pack.  The goal of this release is to provide you with everything you need to establish a bug bounty program. This includes alignment with stakeholders, working with a vendor, establishing a private bug bounty, and ultimately moving to a public bug bounty. This release pack is not sponsored or influenced by any particular bug bounty vendor and is neutral to vendor biases and influence.


In this pack, we cover:

Preparation Checklist: This checklist provides every step required to research, pilot, test, roll out, and expand a bug bounty program at your company.
Reporting Requirements: This document outlines the required information you'll need from a security researcher or vulnerability reporter as part of a bug bounty program.
Sample Bug Bounty Policy: This document contains a sample bug bounty policy that you can copy, adjust, and publish on your site.
Submission Response Templates: This document provides copy/paste message/email templates that can be used to communicate with external security researchers for the most common scenarios.
Bug Bounty Process Workflows: This diagram outlines the various steps to perform once a bug bounty program is established and you start receiving vulnerability reports. From verifying the issue to pulling in stakeholders for support, managing incidents, and public notifications. It aligns roughly with the context in the bug bounty checklist.
Bug Bounty Runbook: A runbook the security team can use to ensure consistent steps are followed when a vulnerability report is received.
Bug Bounty Metrics: This file contains sample, baseline metrics for tracking your bug bounty program and reporting on it internally.

Download on GitHub:


To provide simplified, free, and usable open-source templates to enable engineering and smaller security teams to bootstrap security capabilities in their organizations.


Upcoming releases - Vulnerability Management Program Pack 1.0

Our vulnerability management program pack will provide you with everything to establish and setup a fully functioning vulnerability management program at your company.

Previous releases

External Penetration Testing release pack 1.0

This release contains everything you need to scope your first pentest, work with a vendor, execute, and get the types of reports you need from an external tester. This will enable you to perform your first product or infrastructure level penetration test, and provide you with a process moving forward for future engagements.

Download on GitHub:


Security incident response release pack 1.0

The goal of this release is to provide you with everything you need to establish a functioning security incident response program at your company.

Download on GitHub:




Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)