Definition
Plain language
A cash reward a company offers to anyone who finds and responsibly reports a security flaw in its software.
As stated in the literature
A vulnerability-disclosure incentive program paying researchers for responsibly reported security flaws, scaled by severity; the channel through which the slyp-discovered Windows COM race conditions were rewarded by Microsoft.
Also called: bug bounties
Why it matters: It gives skilled outsiders a legal, paid reason to report flaws instead of selling or exploiting them, helping companies fix problems before they are abused.
For example, a researcher who discovers a flaw that lets attackers read other users' messages can report it through the company's bug bounty program and receive a cash reward.
Heard on the show
“Think of a bug bounty where a claimed exploit only pays out after someone reproduces it on a live system.”Episode 202 — How Do You Know an AI Agent Actually Refused? Check the World, Not the Words