A bug bounty program, also called a hacker bounty program or vulnerability rewards program (VRP), is a crowdsourcing initiative that rewards individuals for finding a software bug and reporting it to the organization offering a monetary reward.
Many software vendors and web sites run bug bounty programs, often paying out cash rewards to software security researchers and white hat hackers for discovering and reporting software vulnerabilities that could be exploited. Bug reports must document enough information for for the organization offering the bounty to be able to reproduce the vulnerability. Bug bounty programs are often initiated to supplement internal code audits and penetration tests as part of a vulnerability management strategy.
Most companies offer bounties on a sliding scale based on the size of the organization and how much impact on users a bug might have. For example, Mozilla pays out a $3,000 flat rate bounty for bugs that fit its criteria, while Facebook has given out as much as $20,000 for a single bug report. Google paid Chrome operating system bug reporters a combined $700,000 in 2012 and in one of the biggest recent bounties, Microsoft paid UK researcher James Forshaw $100,000 for an attack vulnerability in Windows 8.1.