Notes
Field notes from the triage queue.
Practical writing on bug reporting, CVSS, program design, and the work behind a healthy bounty inbox.
May 27, 2026
7 min read
The first 90 days of running a bug bounty program
Most bug bounty programs that go quiet do so because of mistakes made in the first three months. Here's what to do in days 1–30, 30–60, and 60–90, and what kills programs early.
Read post →
May 20, 2026
7 min read
Writing a bug bounty scope hunters will actually read
Most scope pages are unreadable, and hunters skip them. Here's what good scope writing looks like, why most teams get it wrong, and a checklist you can lift.
Read post →
May 13, 2026
7 min read
Setting bug bounty payout amounts (without overpaying or insulting hunters)
Most bug bounty payout tables are set wrong, and the math isn't intuitive. Here's how to set yours, what the industry typical ranges actually are, and which modifiers should move a bounty up or down.
Read post →
May 6, 2026
7 min read
VDP vs bug bounty: which program do you actually need?
Most companies pick the wrong one of these two, and it's expensive in different ways. Here's how to tell whether you need a vulnerability disclosure program, a bug bounty, or both, and what to do first.
Read post →
April 29, 2026
4 min read
Self-hosted vs managed bug bounty: when to switch (and when not to)
HackerOne and Bugcrowd are not the only way to run a program. Here's the honest tradeoff between managed platforms and a self-hosted setup, and when each is the right call.
Read post →
April 22, 2026
3 min read
What good bug reports look like
After a thousand reports across a hundred programs, the difference between the ones engineers fix and the ones they ignore comes down to four things.
Read post →
April 15, 2026
4 min read
CVSS in five minutes (without the hand-waving)
Most CVSS scores in bug bounty reports are wrong, and not in interesting ways. Here's the version of the spec you actually need.
Read post →
April 8, 2026
4 min read
What 'critical' actually means in a bug report
Severity inflation is the most common pathology in self-hosted bug bounty programs. Here's how to tell a real critical from a 9.8 in a sandbox.
Read post →
Get started
Stop letting reports pile up.
Hunters lose interest. Engineers lose mornings. The next report is already in the inbox.