Bug bounty programs – paying a researcher who has found a “bug” in a company’s system – can be effective at mitigating cybersecurity risk, but they must be implemented and managed carefully lest they be abused and backfire. Cassio Goldschmidt, vice president in Stroz Friedberg’s cyber resilience practice, spoke to the Cybersecurity Law Report about the steps to take to establish a bug bounty program, including the measures that should be in place prior to launching it, and how to best manage a successful program. See also “Tech Meets Legal Spotlight: What to Do When IT and Legal Slow the Retention of a Third-Party Vendor” (Nov. 30, 2016).