Self-hosted vs managed bug bounty: when to switch (and when not to)
Self-hosted vs managed bug bounty: when to switch (and when not to)
HackerOne and Bugcrowd are not the only way to run a program. Here's the honest tradeoff between managed platforms and a self-hosted setup, and when each is the right call.
Most bug bounty programs in the wild run on a managed platform, HackerOne, Bugcrowd, Intigriti, YesWeHack. There are good reasons for that, and there are also good reasons not to. The right choice depends less on what's fashionable and more on a few concrete things about your company.
This post is the honest version of the comparison, written by people who have been on both sides.
What managed platforms actually give you
Three things, mostly:
- A hunter pool. When you launch on HackerOne, hunters can find your program by browsing the platform. You inherit discovery for free.
- Triage as a feature. On managed plans, the platform handles the first pass, dedup, scope, basic validation, before reports reach your team.
- Shared trust. Hunters know how to interpret platform-mediated policies. Reputation systems, payment rails, and dispute resolution are all standardized.
For early-stage programs that don't already have a research community around them, those three are real. Self-discovery is hard. Building hunter trust from a cold start takes a year of consistent payouts and fast responses.
What self-hosted gives you
Three different things:
- Brand control. Your
/securitypage is your brand. Your acknowledgement template is yours. Hunters interact with your domain, not a third party's. - Hunter relationships. No platform between you and the researcher who keeps finding your real bugs. You can pay differently, invite privately, send swag.
- Cost ceiling. Platform fees scale with your program. Self-hosting doesn't. At enough volume, the math flips.
Cost is the loud one but it's not always the deciding factor. The quieter factor, and the one we hear most often from companies that switched, is that managed platforms are very hard to leave once you're on them. History stays with the platform. Hunter relationships are partially mediated. Migration is a project.
The honest decision matrix
Self-hosted is usually the right answer if:
- You already have inbound, security@ is real, you get reports, hunters know about you. You don't need a platform's discovery layer.
- Brand fit matters more than scale of inbound. Banks, healthcare, and defense companies often can't be on consumer platforms for compliance or perception reasons.
- You're in a regulated industry where data residency and audit trails need to live entirely under your control.
- You have or can hire someone to triage, or you outsource that to a service like ours.
Managed is usually the right answer if:
- You're starting cold. Nobody knows you have a program. The platform's hunter pool is genuinely valuable.
- Volume is low and unpredictable. You don't want to staff for it.
- You want platform-level reputation systems to filter hunter quality.
Both are wrong if:
- You expect a bug bounty program to be cheap. It's not. Whether you pay a platform or pay a triage service or pay your own AppSec team, the hours are the hours.
When companies switch from managed to self-hosted
Three patterns we see:
The brand split. Company gets enterprise customers who ask why their vulnerabilities are being reported through HackerOne. Compliance team gets nervous about a third party seeing pre-disclosure findings. Switch forced.
The cost ceiling. Program scales to a point where platform fees are multiples of what triage would cost in-house or via a service. Often happens around 100+ valid reports per month. Switch becomes obvious.
The relationship loss. Top hunters stop submitting because of platform politics, disputes, takedowns, policy changes. Company realizes those hunters were finding their best bugs and the platform was making it harder to keep them. Switch is defensive.
When companies switch from self-hosted to managed
Two patterns, less common:
The volume drop. Program goes quiet. Reports stop coming. Company realizes the hunters they had were on platform pools all along and weren't going to discover a self-hosted program organically. Switch to get back in front of researchers.
The triage burnout. AppSec engineer who was doing triage on the side quits or moves teams. Nobody wants to take it over. Easier to outsource to a managed plan than rebuild the function.
What we recommend if you're at the fork
If you're already self-hosted, stay self-hosted unless one of the two "why people switch back" patterns above applies to you. The migration cost is usually higher than the platform fees you'd save.
If you're on a managed platform and considering moving, do it deliberately. Run both for a quarter (most platforms allow this). Migrate hunter-by-hunter for the relationships you care about. Don't turn off the managed program until your self-hosted version has caught up on volume.
If you haven't started yet and you're a small consumer-facing company, start managed. The platform's hunter pool is worth more than the brand control you'll give up.
If you're a regulated business, an enterprise SaaS, or anything where compliance has opinions about third parties, start self-hosted. The brand control compounds, and the triage capacity is hireable or outsourceable.
Whichever side you pick, independent triage works on both
A note on what we do, since it's relevant to this whole comparison: we triage and validate reports for bug bounty programs of every shape. Self-hosted, private, public, on HackerOne, Bugcrowd, YesWeHack, Bug Bounty Switzerland, the platform is just where the report originates. The work we do happens after.
That means two things for the choice above:
- Self-hosted programs can outsource triage to us instead of hiring a dedicated triager or burning their AppSec team's time.
- Platform-hosted programs can use us alongside the platform's built-in triage, typically for independent validation on highs and criticals before they hit your tracker, or to handle volume on self-serve plans where managed triage isn't included.
If you'd like a second opinion on which side of the fork you're on, or on whether independent validation is worth adding to whatever you've already got, that's what we do.