Bug bounty programs are private or open programs that independent security researchers participate in to detect bugs in organizations' products and increase their security levels. Security researchers can earn fees and rewards by reporting the vulnerabilities / vulnerabilities / exploits (bugs) they detect within the scope of this program. These programs usually report security vulnerabilities, but sometimes they may include hardware defects, process problems, and similar problems.

Bug bounty programs are either private by invitation or public programs that anyone can register and participate in. While some programs are run within a certain time frame, most do not have an end date.

Many large organizations use bug bounty programs as part of their security programs. AOL , Facebook ,  Android , Apple , Digital Ocean companies are examples of these. 

There are also bug bounty program providers such as Bugcrowd and HackerOne . Through these platforms, companies can open bug bounty programs for their own products and present them to security tests by many security researchers around the world. You can see open bug bounty programs on Bugcrowd and HackerOne platforms.

Let's talk about the details of these programs. Firms clearly state the target system or products that are within the scope of this program. They can also specify targets and systems that are out of scope. They also explain the rules of the program. As time passes, this coverage information and program rules may change. It is necessary to follow these changes through the notification channels of the bug bounty program. For example, you have detected a vulnerability in an out-of-scope system or website of the company that owns the program and you will not receive any reward when you report it. If you follow the notifications, the system or website you have identified may be covered, and you will be the first to forward the vulnerability you find. By the way, it is necessary to mention the awards. If two different people detect the same vulnerability/vulnerability/exploitation, the first The sender receives the reward. The second sender is usually not rewarded. But sometimes small rewards are sent for motivation. In this respect, it is important to follow the notifications.

The rewards for each bug bounty program may also be different. While some companies give cash prizes, others may only give promotional products (swag) with the company logo or slogan, such as t-shirts, hats, bags, as rewards. Some companies only publish the names of security researchers in the hall of fame. There are also companies that make several of these together.