The IT skills gap has become a cybersecurity risk in its own right. As the security talent shortage increases, many organizations are considering alternatives to traditional hiring. Bug bounty programs offer formalized rewards for third-party disclosure of vulnerabilities. The success of such a program depends on its maturity level, including capacity planning and triage labor for disclosed vulnerabilities. For organizations with mismanaged vulnerability programs and poor triage processes, bug bounty programs could present a unique drain on resources. The right approach to these initiatives could help solve talent woes.”]