How bug bounty actually works

Programs, scope, severity, and the mindset that separates people who get paid from people who get burned out.

7 min read

Bug bounty is authorised hacking: companies publish a program (on HackerOne, Bugcrowd, Intigriti, or their own security.txt) inviting researchers to find flaws in defined targets, in exchange for recognition and money.

Scope is law. Testing anything outside a program’s in-scope assets is unauthorised access — illegal, and it gets you banned. Read the policy fully before you send a single request.

The economics nobody tells beginners

Severity ≠ payout. A medium-severity bug on a payment/auth system often pays more than a high on a forgotten subdomain.
Duplicates are the norm. Popular programs are picked over — go deep on logic and chained bugs, not just scanners.
One excellent, well-proven report beats ten noisy ones. Triagers remember both.

What makes a report get paid

A clear, reproducible proof of concept — exact requests, not just a screenshot.
A concrete impact narrative: the realistic worst case, not “an attacker could…”.
Honest severity with a CVSS vector you can defend.

The Web Security path teaches the bugs; this path teaches how to find them at scale and turn them into reports that pay.