Bug bounty programs reward security researchers for responsibly reporting vulnerabilities within defined scope. They complement audits by incentivising ongoing review after deployment—when used with clear rules and responsive triage.
How programs typically work
- Project publishes scope: contracts, domains, and out-of-scope areas
- Researchers report findings through a designated platform or email
- Triage team validates impact, severity, and reproducibility
- Rewards are paid per policy after fix verification—timelines vary
Platforms commonly used in crypto
- Immunefi — DeFi-focused bounties with tiered severity payouts
- HackerOne / Bugcrowd — Broader tech programs including exchange infrastructure
- Code4rena / Sherlock — Competitive audit and review contests
- In-house programs — Direct disclosure pages on project documentation
Safe participation boundaries
Only test systems explicitly listed in scope. Do not probe production systems without authorisation, exfiltrate user data, or publicly disclose before coordinated remediation. Follow each program's disclosure timeline and communication rules.
For project teams launching bounties
- Define clear scope, severity rubrics, and response SLAs
- Staff triage with engineers who can reproduce and patch findings
- Publish remediation status and thank researchers appropriately
- Combine bounties with audits—not as a replacement for pre-launch review