Bug bounty program have always been a love-hate thing for enterprise. Enterprises running bug bounty programs can discover their vulnerabilities through external information security researchers and manage the vulnerability disclosure process. However, at the same time, they suffer from incomplete experience or planning when running the program, which leads to many problems.

This seesion will start from the bounty hunter's own experience until joining a company to assist in handling and running the program. I will share the experience and difficulties from both sides and also cases of conflict and cooperation.