Bug bounties are a great way to find security bugs that are difficult to find via traditional means, like business logic bugs, and create a safety net to complement the rest of your security program. But is your company ready for one? This talk looks at the Slack bug bounty program, active since 2014, and what it takes to have a successful program. Beyond just fixing the bugs, there can be bug triage, public relations, and legal work to do. There are different ways of paying researchers in reputation, swag, or money. We'll also discuss the pros and cons of public and private programs and how to decide between them. We'll cover using scope definition and bounty policies, and managing relationships both with engineering teams and the researcher community. We'll also talk about the impact of bug disclosures on customer trust. If you're looking at starting a bounty program or taking yours to the next level, this session is for you.