® 
Bug Bounty
Definition
A bug bounty program invites ethical hackers to find vulnerabilities in exchange for financial rewards. It is a proactive way to discover security vulnerabilities.
A bug bounty programme invites ethical hackers and security researchers to find vulnerabilities in an organisation's systems in exchange for financial rewards. Major technology companies collectively pay over $100 million annually in bug bounty rewards.
How does a bug bounty programme work?
The programme defines clear rules: which systems are in scope, which vulnerability types are rewarded, what reward amounts apply per severity (typically $100-$250,000), how to report, and what rules apply. Platforms like HackerOne, Bugcrowd and Intigriti facilitate programmes with standardised processes.
Difference from penetration testing
A pentest is a planned, time-bound test by a specific team with defined scope. A bug bounty is ongoing, open to multiple researchers and pays only for results. Both are complementary.
Impact on organisations
Bug bounty programmes offer cost-effective supplementation of internal security testing. Organisations pay only for found vulnerabilities. The CRA encourages vulnerability handling and bug bounties fit well.
Protection
Start with a private programme before going public. Define clear scope and reward structure. Ensure rapid triage and communication. Combine with regular pentests.
How DEFION helps
DEFION delivers pentests that provide the systematic depth complementing bug bounty programmes.