Setting up a crowdsourced security program requires careful consideration of rewards, including determining suitable ranges for vulnerabilities against different target types, considering market rates, and establishing a budget. Bugcrowd's Vulnerability Rating Taxonomy (VRT) provides a standardized framework for rating vulnerability severity, making it easier to set consistent reward ranges across programs. The recommended starting reward ranges vary depending on the type of targets, with lower ranges suitable for untested web apps and higher ranges for well-hardened and sensitive systems. A moderate attack surface and some past security testing can help estimate the initial reward pool budget, which may need to be adjusted based on program performance. Ultimately, the key to a successful program is attracting the right hackers with attractive incentives, making it essential to balance rewards with business needs and security maturity.