Trust and Control
1. Set parameters. There are options available to optimize the success of your program and minimize unknown variables. Decide how you want to run your program–private or public–then articulate what you do and don't want to be tested by defining a clear scope.
2. Utilize a partner. Running a bug bounty program with a trusted partner lowers potential risk, as all community members follow a set of rules, outlining acceptable and unacceptable behavior. However, if the idea of opening up testing to the community at-large is too much for your organization right now, you can run a private program with a select group of vetted researchers.
3. Historical data. In reality, incidents of public disclosure are exceedingly rare, and we actively work to prevent them. We closely monitor public researcher communications and activity, and researchers are penalized for not complying with Bugcrowd’s Standard Disclosure Terms which outlines acceptable and unacceptable behavior.