Premiere: 4/16 14:40 - 15:10 

Replays: 4/16 20:40 - 21:10, 4/17 02:40 - 03:10

Bug bounty programs are a double-edged sword. Done right, they uncover critical vulnerabilities before attackers do. Done wrong, they create noise, drain resources, and even introduce new security risks. So how do you build a bug bounty program that actually works?

Drawing from my experience running Vietnam’s first and largest bug bounty platform, this session will cut through the theory and dive into the real-world lessons of designing, securing, and scaling a successful program. We’ll cover:

1. Program Design: How to define scope, set fair rewards, and attract serious security researchers - not just low-effort spam.

2. Vulnerability Handling: Triage strategies to separate signal from noise, manage false positives, and deal with duplicate reports effectively.

3. Operational Security Risks: How to prevent abuse, secure your own bug bounty infrastructure, and avoid becoming a target yourself.

4. The Human Factor: What motivates researchers, how to build trust, and why community management is just as important as technical execution.

We'll also discuss hard lessons learned, like how to handle rogue submissions and why transparency can make or break your program.

By the end of this talk, you’ll walk away with a practical, tested framework for building a bug bounty program that is secure, efficient, and actually useful - whether you’re starting from scratch or improving an existing initiative.