Learn more about bug bounty programs and how they work >The Growing TrendAt HackerOne, we’ve observed a notable increase in companies mentioning their bug bounty programs in S-1 filings. Some of the prominent names that have included this information are:AsanaBackblazeBill.comContextLogicCventDoximityTuroGitLabGoodRxOutbrainRobloxSamsara”We included our HackerOne bug bounty program as part of our S1-filing to demonstrate our stance on security. Compliance and attestation reports only go so far, and having a dedicated bug bounty program is very valuable for catching vulnerabilities early, which was worth highlighting in our S1.”— Jey Balachandran, Chief Technology Officer, DoximityThis list represents a diverse range of industries, from tech and healthcare to finance and travel, indicating that bug bounty programs are becoming a cross-sector security standard.Why Include Bug Bounty in S-1 FilingsThe inclusion of bug bounty programs in S-1 filings is more than just a footnote; it’s a clear message to investors and the public about an organization’s commitment to cybersecurity. It emphasizes that the organization is invested in:Transparency: By disclosing their bug bounty efforts, organizations demonstrate transparency about their security practices.Proactive Approach: It shows that these organizations are taking proactive steps to identify and address potential vulnerabilities.Community Engagement: Bug bounty programs indicate a willingness to engage with the broader security community, leveraging collective expertise.Risk Management: For investors, this information provides insight into how an organization manages cybersecurity risks.The Future of Bug Bounty Programs in Corporate DisclosuresWe anticipate this trend to continue and even accelerate in the coming years. As cyber threats evolve and become more sophisticated — and investors place greater emphasis on proactive security engagements — organizations will need to showcase their security initiatives in their corporate disclosures.Governing agencies also play a significant role in the requirements regarding corporate disclosure. As regulators become more attuned to cybersecurity risks and put stricter standards in place for compliance, disclosing such programs may become not just a nice-to-have but a requirement in S-1 filings and other corporate communications.A Sign of Serious Security CommitmentBy including your bug bounty program in your S-1 filing, your organization demonstrates you take security seriously — the security of your investors, customers, employees, and partners. Signal to every involved party that your organization is:Invested in cutting-edge security practicesOpen to external scrutiny and improvementCommitted to ongoing security enhancementsAligned with industry best practicesIn conclusion, the growing trend of organizations mentioning their bug bounty programs in S-1 filings represents a significant shift in corporate security culture. As this trend continues, we expect to see bug bounty programs become an integral part of how companies communicate their security posture to the world. If you’re interested in incorporating bug bounty into your upcoming corporate filing, learn more about bug bounty programs with HackerOne.