Create your own security program page with instructions for hackers: what targets are in scope, what types of findings are eligible, what types are not, what rewards you will be paying, what behaviors are acceptable, and what the ideal vulnerability report should look like. Start with Antihack.Me's template, ask for help if you want it, modify as needed.
Set bug bounty awards by technical classification of the bug and severity of its possible impact. We recommend a minimum of $100. The average is around $500. To get attention from the world's best hackers, pay more than the platform average.
Your hackers (also called security researchers) are selected from the top tier of Antihack.Me. You can invite your own hackers, or Antihack.Me can customize your invitations for your specific needs. Your program starts private but can be made public.
Expect vulnerability reports in your inbox from Day 1. The average customer should receive an average of 3 vulnerability reports or more in the first 2 weeks.
Review the report for validity, using the report's proof of concept and the hacker's Reputation on Antihack.Me. If valid, fix the vulnerability on your own schedule.
For valid bugs, Antihack.Me handles the paperwork and payment to a hacker.
When you receive valid submissions, you know that your program is working. The sooner your engineering team can fix the bugs found, the more secure your system will be. When you deploy new software, you may want to offer new bounties to encourage repeat hackers to spend their time on you again.