Do you have a security@ email account?

When hackers or security researchers find a vulnerability in your system, they need a way to tell you. If you don’t have a security@yourcompany.com email, they might give up or go public.

Your `security@` inbox is your first line of defense.
It helps with:

* Responsible disclosure from ethical hackers
* Bug bounty submissions
* Early warnings before public leaks

You don’t need a full bug bounty program to start. Just set up the email, publish it (e.g. in your [security.txt](https://securitytxt.org)), and monitor it.

Make sure it’s:

* Monitored by trusted staff (not just one person)
* Responded to quickly (aim for <48h)
* Part of your incident response process


<figureEmbed figureEmbed={{
  preset: "badExample",
  figure: 'Bad example: No security@ exists. The researcher tweets the exploit. The company finds out via media. Damage is done.',
  shouldDisplay: true
} } />


<figureEmbed figureEmbed={{
  preset: "goodExample",
  figure: 'Good example: A security researcher finds a critical bug and emails security@. The team replies in 1 day, verifies the issue, patches it in a week, and thanks the reporter.',
  shouldDisplay: true
} } />


<asideEmbed
  variant="info"
  body={<>
    Be aware of ["beg bounties"](https://www.troyhunt.com/beg-bounties/) – people who send low-risk reports and demand money. You can politely thank them or ignore if it’s not a real issue.
  </>}
  figureEmbed={{
    preset: "default",
    figure: 'XXX',
    shouldDisplay: false
  }}
/>

<asideEmbed
  variant="info"
  body={<>
    Want ethical hackers to help you? Add a [security.txt](https://securitytxt.org) file with your security contact information. Check out how we setup ours - https://github.com/SSWConsulting/securitytxt
  </>}
  figureEmbed={{
    preset: "default",
    figure: 'XXX',
    shouldDisplay: false
  }}
/>