Bug bounty programs that use crowdsourcing methods can help companies identify vulnerabilities that their internal teams may not catch. These programs, however, can also open companies up to a range of legal and business risks, such as publicly exposing user problems and other flaws identified by researchers before they are fixed. Michael Yaeger, special counsel at Schulte Roth & Zabel, spoke to the Cybersecurity Law Report about how companies can develop programs to minimize those risks, including setting clear terms covering issues such as confidentiality, payments, unauthorized actions and scope. We provide specific examples of program terms to illustrate Yaeger’s advice. See also “How to Establish and Manage a Successful Bug Bounty Program” (Mar. 22, 2017).