Bug Bounty Program
What is Bug Bounty Program?
Bug Bounty ProgramA formal initiative through which an organisation invites external researchers to report security vulnerabilities and pays rewards based on impact.
A bug bounty program turns crowd-sourced security testing into a controlled process. The organisation publishes scope, rules of engagement, exclusions, and reward tiers, then receives reports from independent researchers via its own platform or a triage provider such as HackerOne, Bugcrowd, or Intigriti. Findings are validated, reproduced, prioritised, and remediated, with payouts tied to severity (often based on CVSS). Programs may be public or private (invitation-only) and complement, but do not replace, internal AppSec, SAST/DAST tooling, and penetration tests. A safe-harbour legal statement is essential so good-faith researchers are not pursued under anti-hacking laws.
● Examples
- 01
Google Vulnerability Reward Program, Microsoft Bug Bounty, Apple Security Bounty.
- 02
A SaaS vendor running a private invitation-only program on HackerOne with payouts from $500 to $50,000.
● Frequently asked questions
What is Bug Bounty Program?
A formal initiative through which an organisation invites external researchers to report security vulnerabilities and pays rewards based on impact. It belongs to the Attacks & Threats category of cybersecurity.
What does Bug Bounty Program mean?
A formal initiative through which an organisation invites external researchers to report security vulnerabilities and pays rewards based on impact.
How does Bug Bounty Program work?
A bug bounty program turns crowd-sourced security testing into a controlled process. The organisation publishes scope, rules of engagement, exclusions, and reward tiers, then receives reports from independent researchers via its own platform or a triage provider such as HackerOne, Bugcrowd, or Intigriti. Findings are validated, reproduced, prioritised, and remediated, with payouts tied to severity (often based on CVSS). Programs may be public or private (invitation-only) and complement, but do not replace, internal AppSec, SAST/DAST tooling, and penetration tests. A safe-harbour legal statement is essential so good-faith researchers are not pursued under anti-hacking laws.
How do you defend against Bug Bounty Program?
Defences for Bug Bounty Program typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Bug Bounty Program?
Common alternative names include: Vulnerability Reward Program, VRP.
● Related terms
- attacks№ 221
Coordinated Vulnerability Disclosure (CVD)
A process in which a vulnerability finder, the affected vendor, and sometimes a coordinator agree on a timeline before publicly disclosing security flaws.
- roles№ 132
Bug Bounty Hunter
An independent security researcher who finds and reports vulnerabilities to vendors through bug-bounty or coordinated-disclosure programs, in exchange for monetary rewards and recognition.
- defense-ops№ 813
Penetration Testing
An authorized, simulated cyberattack against systems, applications, or people to identify exploitable weaknesses before real adversaries do.
- vulnerabilities№ 1216
Vulnerability
A weakness in a system, application, or process that an attacker can exploit to violate confidentiality, integrity, or availability.
- vulnerabilities№ 261
CVSS (Common Vulnerability Scoring System)
An open framework, maintained by FIRST, that produces a 0–10 severity score for a vulnerability based on its exploitation characteristics and impact.
- defense-ops№ 1217
Vulnerability Assessment
A systematic review of an environment to identify, classify, and prioritize security weaknesses, typically without active exploitation.
● See also
- № 1234White Hat Hacker
- № 451Grey Hat Hacker
- № 390Ethical Hacker