Bug Bounty Programs: How Companies Pay Hackers to Find Vulnerabilities
Bug bounty programs pay ethical hackers to find security vulnerabilities before criminals do. Learn how they work, what researchers earn, and how programs are structured.
Hiring the Hackers Before the Criminals Do
In January 2019, a 14-year-old Canadian student discovered a critical FaceTime bug that allowed callers to hear audio from a recipient's iPhone before the call was answered — without any action by the recipient. He and his mother attempted to report it to Apple for weeks without success. When the bug went viral on social media, Apple issued an emergency patch within days. The incident highlighted a persistent challenge: how should organizations structure relationships with the external security researchers who find their vulnerabilities?
Bug bounty programs offer a structured answer. Companies formally invite independent security researchers to find and report vulnerabilities in their systems, promising payment — bounties — in exchange for responsible disclosure. The model converts a potential adversary into a paid collaborator and provides a legal pathway for researchers who would otherwise risk prosecution under computer fraud statutes.
Program Structures
Bug bounty programs exist along a spectrum from fully open public programs to tightly controlled private invitations.
| Program Type | Participants | Scope Control | Best For |
|---|---|---|---|
| Public program | Any registered researcher worldwide | Defined in public scope document | Mature security programs; broad coverage |
| Private / invite-only program | Curated list of vetted researchers | Same as public; researchers sign NDA | Pre-launch testing; immature programs building capacity |
| Managed / platform-hosted | Platform manages triage and researcher pool | Platform mediates scope disputes | Organizations without dedicated security teams |
| Vulnerability Disclosure Policy (VDP) | Any researcher | No payment; safe harbor guarantee only | Organizations starting to formalize disclosure process |
A Vulnerability Disclosure Policy (VDP) without monetary rewards is the first step for organizations not ready for a full bounty program. It provides researchers with explicit legal protection and submission instructions, reducing the probability that they will publicly disclose or sell the vulnerability instead of reporting it.
Major Platforms
Third-party platforms emerged to reduce the operational burden of running a program: triaging reports, communicating with researchers, managing payments, and verifying severity. HackerOne and Bugcrowd dominate the market, together hosting programs for thousands of organizations.
- HackerOne: Founded in 2012; hosts programs for the U.S. Department of Defense, Google, Twitter, Uber, Airbnb, and over 3,000 other organizations; over $300 million paid to researchers as of 2023
- Bugcrowd: Founded in 2011; strong focus on enterprise programs; hosts managed services for organizations that want platform-based triage and validation
- Intigriti: European-focused platform; GDPR-compliant workflows; growing presence among EU organizations
- Synack: Vetted, invitation-only researcher pool with security clearance requirements for government programs; a more controlled model
Severity Ratings and Payout Ranges
Vulnerabilities are rated by severity using frameworks such as the Common Vulnerability Scoring System (CVSS) or program-specific criteria. Payout scales vary dramatically by organization and severity.
| Severity | CVSS Score Range | Typical Payout Range | Example Vulnerability Types |
|---|---|---|---|
| Critical | 9.0–10.0 | $10,000–$500,000+ | Remote code execution, authentication bypass, privilege escalation to admin |
| High | 7.0–8.9 | $2,500–$20,000 | SQL injection with data access, stored XSS, SSRF with internal access |
| Medium | 4.0–6.9 | $500–$5,000 | Reflected XSS, IDOR with limited data exposure, missing rate limiting |
| Low | 0.1–3.9 | $100–$1,000 | Open redirect, minor information disclosure, security misconfigurations |
Record payouts illustrate the upper bound: Google paid a single researcher $605,000 in 2022 for a chain of vulnerabilities in Android that enabled full device takeover. Microsoft paid $200,000 for a Hyper-V remote code execution vulnerability. Apple's Security Research Device program offers up to $1 million for vulnerabilities enabling full kernel-level device compromise.
Responsible Disclosure Rules
Bug bounty programs operate on a contract of responsible disclosure. Researchers agree to:
- Report vulnerabilities only through the program's official submission channel
- Avoid accessing, modifying, or exfiltrating user data beyond what is necessary to demonstrate the vulnerability
- Not disclose the vulnerability publicly until the organization has had a reasonable time to patch (typically 90 days, as established by Google Project Zero)
- Avoid disrupting production systems or services
In exchange, organizations grant researchers legal safe harbor — a contractual assurance that they will not pursue legal action under the Computer Fraud and Abuse Act (CFAA) or equivalent laws for authorized testing activities. The absence of clear safe harbor language has historically been a major deterrent to researchers reporting bugs to organizations without formal programs.
The Economics of Bug Research
Top researchers — those in the top 1% of platforms like HackerOne — earn six-figure incomes from bug bounties alone. HackerOne's 2023 report noted that the top 25 researchers on the platform had each earned over $1 million in lifetime bounties. However, most researchers earn far less; the distribution is highly skewed toward top performers. The average payment per accepted vulnerability on HackerOne is approximately $979 for medium-severity issues.
The bug bounty economy also faces a competitive market for vulnerabilities: criminal markets (darknet exploit brokers), government intelligence agencies, and commercial exploit vendors (Zerodium) pay substantially more for zero-day exploits than most corporate bug bounty programs. Zerodium publicly advertises prices up to $2.5 million for full iOS zero-click remote code execution chains — far above any corporate bug bounty maximum. This creates an ongoing tension in the vulnerability market between ethical disclosure and lucrative alternative buyers.
Related Articles
cybersecurity
Endpoint Detection and Response (EDR): How Modern Threat Defense Works
An encyclopedic guide to Endpoint Detection and Response covering real-time monitoring, behavioral analysis, threat hunting, and how EDR platforms differ from traditional antivirus solutions.
10 min read
cybersecurity
How Antivirus Software Works: Detection Methods and Protection
Understand how antivirus software works, including signature-based detection, heuristic analysis, behavioral monitoring, and real-time protection mechanisms.
8 min read
cybersecurity
How Blockchain Consensus Mechanisms Validate Transactions
Blockchain networks use Proof of Work, Proof of Stake, and other consensus mechanisms to validate transactions without central authority. Compare their tradeoffs and energy costs.
9 min read
cybersecurity
How Credential Stuffing Attacks Work: Risks and Prevention Strategies
An encyclopedic guide to credential stuffing — how attackers leverage billions of breached username/password pairs to compromise accounts at scale, the automation infrastructure they use, and the defenses that stop them.
9 min read