10 Years of Bug Bounty: Lessons in Building a Strong Security Culture

This year marks a decade since Dashlane launched its bug bounty program with HackerOne. Over the years, our program has evolved into a foundational piece of our security strategy, helping us identify and resolve vulnerabilities in collaboration with some of the world’s best ethical hackers. It’s been a rewarding journey—and one filled with valuable lessons.

As more companies move toward Secure by Design principles and a culture of continuous improvement, I want to share some of the key insights we've gained at Dashlane. Whether you're considering launching a bug bounty program or looking to improve an existing one, I hope our experience can help you scale it effectively.

Before we dive into the lessons, let me summarize what a bug bounty is and give you a bit of context about Dashlane’s program.

A bug bounty program allows organizations to enlist the help of ethical hackers and security researchers to identify vulnerabilities and security exploits within their products. These ethical hackers are rewarded with bounties (monetary compensation) commensurate with the severity of the discovered issues.

They specialize in uncovering security flaws and responsibly disclose these bugs to organizations, providing an opportunity to enhance product quality and security. Responsible disclosure ensures that organizations are informed of security issues promptly and privately so they can then address them before they are exploited or publicly disclosed.

Dashlane's bug bounty program was initiated privately in 2015 and made public in 2017 via HackerOne. Our program offers bounties ranging from $200 for low-severity issues to $5,000 for critical ones. To date, Dashlane has resolved almost 400 reports, paid more than $120,000 in bounties, and collaborated with 500+ researchers. 

The first thing to understand is that a bug bounty program is not a "set it and forget it" solution. It’s a process that requires preparation and maturity.

At Dashlane, we started with a private bug bounty program by inviting select researchers on HackerOne. This gave us a safe space to test our triage and remediation processes and ramp up without being overwhelmed by too many reports at the same time.

Only when we were confident in our ability to respond quickly and effectively to vulnerabilities did we go public.

If you're just starting out, don’t jump into a public program immediately. Start small. Build the muscle. Make sure you can handle the incoming reports efficiently and that your internal teams are prepared to fix issues in a timely manner.

A bug bounty program isn’t just for the security team. It’s for the whole product & engineering organization.

At Dashlane, we make it a point to involve all engineers in vulnerability response and analysis. This is critical to effectively and timely address vulnerabilities. Each security report is an opportunity to collaborate, learn, improve, and embed secure coding practices deeper into our development culture.

By integrating bug bounty triage into our regular development workflows, we’ve helped engineers take ownership of product security. It also improves the quality and speed of our fixes—because who better to resolve a vulnerability than the person who built the feature?

We also use root cause analyses to share learnings across teams, making sure the same issue doesn’t pop up elsewhere in the product.

One of the most important metrics in any bug bounty program is response time. The faster you acknowledge and address a report, the better the relationship with the ethical hacker community and the lower your exposure window.

We’ve worked hard to keep our response and triage time under 24 hours, with our current average time to first response being 20 hours. Fast response builds trust with researchers and shows that we value their time and contribution. We also strive to pay bounties for valid reports as soon as we can (an average of three days at the time of writing this article).

But response time isn’t just about triage—it’s about how quickly you can roll out a fix. That’s where our security and engineering processes matter. Our ability to ship fixes quickly and securely is what’s critical for our customers.

Security researchers are motivated by impact and respect, not just bounties.

That’s why we take the time to thank them personally, credit them in our Hall of Fame, and share how their work helps improve our product. We also review our bounty amounts regularly to ensure they reflect the effort and severity of each report.

Being transparent in our program scope, response process, and payout structure has helped us build a strong relationship with the ethical hacking community. Many of our top researchers have been with us for years, and we treat them as trusted partners.

If you are starting your own program, try to be as detailed and clear as possible on the scope of your program. This will facilitate discussion with researchers and help build a strong relationship. In addition, your disclosure policy matters: researchers may want to publish their findings. Make sure to provide guidelines to clarify how you want disclosure to happen for your company.

This 10-year milestone is a moment of pride for our team and a testament to what can happen when you build security into your culture.

We’ve received over 1,000 reports and resolved hundreds of valid vulnerabilities that could have impacted millions of users. More importantly, we’ve built an internal culture in which engineers care deeply about secure design and an external network of researchers who challenge us to do better every day.

A successful bug bounty program is about more than finding bugs—it’s about building a culture of openness, agility, and continuous improvement. Involving your engineers, optimizing your response processes, and rewarding your researchers are all key ingredients.

Bug bounties should complement your other security measures, including internal code reviews and automated tools, reinforcing your commitment to safeguarding user data and keeping your customers safe.​

To the security researchers who’ve worked with us over the past 10 years: Thank you. You’ve made Dashlane stronger.

We’re always looking for more researchers to look at our product and make it even stronger, so consider joining our bug bounty program!

And to those organizations just starting your bug bounty journey: Take it step by step, involve your whole team, and always keep learning.

Here’s to another decade of building safer software—together.