Security programs need to be aligned closely with the software development cycle, WhiteHat Security’s 2018 Application Security Statistics Report reveals. Software is reused 70 percent of the time and vulnerabilities in reused software persist in the new application. Penetration testing to detect and mitigate the risk of these vulnerabilities would be beneficial but difficult. However, a carefully managed bug bounty program can provide flexibility of scope that allows for testing on all of those applications so companies can get as close as possible to complete asset coverage. The Cybersecurity Law Report analyzes the results of the statistics report and discusses Visa’s experience using a private bug bounty program as covered in a recent webinar. See also “Proactive Steps to Prevent Legal Pitfalls in Bug Bounty Programs” (Apr. 5, 2017) and “How to Establish and Manage a Successful Bug Bounty Program” (Mar. 22, 2017).