When we launched the Genians Bug Bounty Program, we didn’t follow the usual path. No HackerOne. No Bugcrowd. We built and operated it ourselves. It was a deliberate choice rooted in the same philosophy that drives our flagship product Genian NAC (Network Access Control): visibility, verification, and measurable trust.
Why We Built It Ourselves
Running a self-hosted bug bounty program gives us two strategic advantages that matter deeply to our customers and researchers.
1. Stronger Brand Integrity and Researcher Relationships
We wanted direct interaction with security researchers without intermediaries. Every submission became a dialogue that helped us understand how our product behaves in the real world, not just how it was designed in the lab. Over time, this built a small but loyal community that values transparency over transaction.
2. Alignment with National and Industry Regulations
Operating under Korean security disclosure frameworks (National Cyber Security Center, Korea Internet & Security Agency, NCSC) allows us to stay aligned with local compliance standards while still welcoming global contributors. This dual structure using both PatchDay and our own submission portal gives us flexibility that global platforms rarely offer.
The Challenges We Faced
Self-running a bounty program is demanding and we faced clear challenges:
- Limited Reach: Without a global researcher pool, early participation was slow.
- Heavy Triage Workload: Each report required manual verification before we built automation.
- Researcher Verification: Balancing anonymity with accountability was complex.
- Transparency Risk: With no built-in leaderboard, we had to earn credibility through openness.
Each of these challenges became a catalyst for improvement. We tracked submission metrics, published results, and set clear SLAs such as first response within three business days and triage within 30–60. Every process improvement came from real feedback, not from policy documents.
From Product Security to Service Experience
The program started as a technical initiative but evolved into a service experience project. Through hundreds of reports (546 submissions, 105 valid findings, and over $32K awarded), we learned that bug bounty is not only about vulnerabilities. It is about how researchers experience your product.
That insight expanded our scope:
- We opened a live demo environment for Genian NAC so researchers can safely explore and reproduce issues.
- We redesigned our documentation and submission forms to reduce friction.
- We improved collaboration between the Genians Security Center (GSC) and product teams so findings directly feed into measurable product and usability improvements.
Each step blurred the line between security engineering and user experience design.
What We’ve Learned
- A self-run bounty program builds organizational maturity. It forces collaboration across product, compliance, and customer success.
- Transparency is earned, not outsourced. Publishing real metrics and showing how reports influence our roadmap builds more trust than outsourcing to a third party.
- A product is secure only when it is testable. Providing safe environments for Genian NAC researchers turned the program into a true feedback engine.
Moving Forward
We will continue to operate our bug bounty program the same way we build our products: with measurable progress and practical trust. The next phase will integrate Genian NAC, CSM (Cloud Service Manager), and Device Platform Intelligence (DPI) so that vulnerability insights become proactive, data-driven product enhancements.
Running our own program is not the easiest path. But it keeps Genians evolving from a security product company into a measurable security service platform that values every step of the customer journey.
Learn more: https://www.genians.co.kr/bug-bounty
