Compare bug bounty, VDP, and penetration testing — when do you use each, and how do you run a bounty program?

A VDP (Vulnerability Disclosure Program) is a 'see something, say something' policy with a safe-harbor and a reporting channel — no payment; every org should have one. A bug bounty pays external researchers for valid findings — best once you have mature triage and remediation capacity, otherwise you'll drown. A pentest is a time-boxed, scoped engagement by a known team, ideal for compliance, a specific high-risk release, or deep assessment of one system. Running a bounty: start private/invite-only with tight scope, define severity→payout tables and SLAs, staff triage to dedupe and validate quickly (slow triage kills researcher goodwill), and feed root causes back into guardrails. Bounties find breadth/edge cases; pentests find depth; neither replaces secure SDLC.