When we launched the Genians Bug Bounty Program, we didn’t follow the usual path. No HackerOne. No Bugcrowd. We built and operated it ourselves. It was a deliberate choice rooted in the same philosophy that drives our flagship product Genian NAC (Network Access Control): visibility, verification, and measurable trust.
Why We Built It Ourselves
Running a self-hosted bug bounty program gives us two strategic advantages that matter deeply to our customers and researchers.
1. Stronger Brand Integrity and Researcher Relationships
We wanted direct interaction with security researchers without intermediaries. Every submission became a dialogue that helped us understand how our product behaves in the real world, not just how it was designed in the lab. Over time, this built a small but loyal community that values transparency over transaction.
2. Alignment with National and Industry Regulations
In Korea, bug bounty programs are operated mainly by the National Cyber Security Center (NCSC) and the Korea Internet & Security Agency (KISA). Building on these national disclosure frameworks, Genians runs its own in-house program, combining PatchDay with a proprietary submission portal to stay aligned with domestic compliance standards while encouraging participation from researchers worldwide.
The Challenges We Faced
Self-running a bounty program is demanding. We faced clear challenges:
- Limited Reach: Without a global researcher pool, early participation was slow.
- Heavy Triage Workload: Each report required manual verification before we built automation.
- Researcher Verification: Balancing anonymity with accountability was complex.
- Transparency Risk: With no built-in leaderboard, we had to earn credibility through openness.
Each of these challenges became a catalyst for improvement. We tracked submission metrics, published results, and set clear SLAs such as first response within three business days and triage within 30–60. Every process improvement came from real feedback, not from policy documents.
From Product Security to Service Experience
The program started as a technical initiative but evolved into a service experience project. Through hundreds of reports (546 submissions, 105 valid findings, and over $32K awarded), we learned that bug bounty is not only about vulnerabilities. It is about how researchers experience your product.
That insight expanded our scope:
- We opened a live demo environment for Genian NAC so researchers can safely explore and reproduce issues.
- We redesigned our documentation and submission forms to reduce friction.
- We improved collaboration between the Genians Security Center (GSC) and product teams so findings directly feed into measurable product and usability improvements.
Each step blurred the line between security engineering and user experience design.
What We’ve Learned
Running our own bug bounty program taught us that real security is built on ownership, transparency, and continuous learning.
- A self-run bounty program builds organizational maturity. It forces collaboration across product, compliance, and customer success.
- Transparency is earned, not outsourced. Publishing real metrics and showing how reports influence our roadmap builds more trust than outsourcing to a third party.
- A product is secure only when it is testable. Providing safe environments for Genian NAC researchers turned the program into a true feedback engine.
Moving Forward
We will continue to operate our bug bounty program the same way we build our products: with measurable progress and practical trust.
With Genian NAC, CSM (Cloud Security Manager), and Device Platform Intelligence (DPI) already working together, the next phase focuses on refining how these services enhance the overall customer journey, making vulnerability insights more actionable, experiences more seamless, and security outcomes more measurable.
Running our own program has never been the easiest path, but it continues to shape Genians into a measurable security service platform that treats every vulnerability as an opportunity to strengthen trust and every customer journey as part of continuous improvement.
Learn more:
