The goal of a bug bounty program is to improve application security by crowd sourcing vulnerability testing. Identified bugs should be resolved before they can be exploited by a malicious entity. By setting a well defined scope and terms for testing security researchers have a legally safe area to perform their research. Prior to public bug bounty programs security researchers might have faced legal action for reporting vulnerabilities.
Bug bounty programs can also be differentiated into public or closed programs. The common process is to start with a closed program. A number of selected and proven researchers will be invited to perform research for the defined scope. This should keep the initial number of reported vulnerabilities low, eliminating duplicates. The next step would be to open the program to the public.
Running a bug bounty program brings many risks and require a lot of resources. To support organization they can contract a partner to manage their bug bounty program. These service providers will also guide the organization through the difficult setup process. Some well known service providers are Hackerone, bugcrowd and Zerozopter.
Many companies have introduced a bug bounty program, including Mozilla, Google, Microsoft and many more. Furthermore, the Internet Bug Bounty Program (IBB) is sponsored by some large companies. The IBB covers software such as Python, Ruby, Nginx, Apache and extends to other.