What is Bug Bounty Program?

A policy inviting security researchers to report vulnerabilities in exchange for recognition or monetary reward.

Full explanation

Bug bounty programs cover: scope (what is in-scope), rules (what testing is allowed), rewards (payout table by severity), safe-harbor legal protection for good-faith researchers. Hosted on platforms like HackerOne, Bugcrowd, Intigriti, or self-hosted. Mature programs scale from invite-only to public.

Example

HackerOne's GitHub Security Bug Bounty paid researchers $1.1M+ in 2023 for vulnerabilities reported in good faith under published rules.

FAQ

Can small companies run bug bounty programs?

Yes. Start invite-only with a small researcher group and a published safe-harbor policy. Scale as your budget and response capacity grow.