Bug Bounty Platforms
HackerOne, Bugcrowd, Intigriti, YesWeHack — where to hunt and where to receive.
Bug bounty platforms broker between researchers and companies — handle scope, triage, payment, disclosure. The 2024–26 landscape: HackerOne and Bugcrowd dominate the US, Intigriti and YesWeHack are strong in EU, Immunefi owns web3, and platform-less direct-disclosure (security.txt) still matters. For your own bounty workflow see Bug-Bounty Recon Workflows. For training programs see Security Training Platforms. For pentest reporting see Pentest Reporting.
The big platforms — for hunters
- ★ ★ HackerOne — the largest; broadest set of public + private programs; pays via Hyperwallet / PayPal / Coinbase / wire. Free to participate.
- ★ Bugcrowd — major competitor; pays via PayPal / Payoneer / wire; "Researcher Levels" gating private invites. Free.
- ★ Intigriti — Belgium-based; growing fast; many EU programs; researcher-friendly UX. Free.
- ★ YesWeHack — France-based; many EU government and gov-adjacent programs; good triage. Free.
- Synack Red Team — vetted-researcher only; application required; paid hourly + bounties; private programs only.
- Hackrate (HUN) — newer EU platform.
- HackenProof — web3-leaning bug bounty + smart-contract.
- Bountti / IntigritiX / YesWeHackX — emerging niche programs.
- Open Bug Bounty — non-commercial; for finding XSS / misconfigs on any site, with limited scope; donation-based. Free.
Web3 / smart contracts
- ★ Immunefi — the dominant web3 platform; multi-six-figure (sometimes seven) bounties on DeFi protocols. Free.
- HackenProof Web3 / Code4rena (audit contests) — competitive audit / bounty hybrids.
- Cantina (Spearbit) — newer audit-marketplace.
- Sherlock — audit competitions for DeFi.
- HackerOne / Bugcrowd web3 programs — fewer but growing.
For companies — running a program
- HackerOne / Bugcrowd / Intigriti / YesWeHack all offer "managed program" tiers (paid).
- Self-managed direct disclosure:
/security.txt(RFC 9116) — see security.txt.security@yourdomain.commailbox + PGP key.- GitHub Security Advisories — for open-source projects; free.
- VDP (Vulnerability Disclosure Program) — non-paid disclosure.
- Crowdsource disclosure platforms — Federacy, Cobalt VDP.
Pentest-as-a-service (overlap)
- Cobalt — paid; pentest-as-a-service; integrates with Vanta / Drata. See Compliance (SOC 2 / ISO).
- Synack — same.
- HackerOne Pentest — bug-bounty-platform-style pentest.
Policies / reporting expectations
- Disclosure timelines: typical 90 days then public.
- Out-of-scope rules: every program defines them; read first.
- Duplicate handling: report quality, evidence, time matter.
- CVSS — most platforms use 3.1; HackerOne added 4.0 support 2024.
- Severity caps — many programs cap by domain / asset; check the brief.
What a great report looks like
- ★ Clear PoC —
curlreproduction or screen-recording. - Impact described in business terms, not "could lead to RCE if … if … and the moon."
- Affected scope listed with specific URLs.
- Mitigation suggestion — programs love when you do half the fix work.
- Severity assigned with CVSS — but expect their triage to re-score.
Bounty money realities
- Top hunters earn $300–800k/yr on platforms; that's a tiny minority.
- Most hunters earn $5–50k/yr if part-time and lucky.
- Many programs have $50–250 minimums, $5–25k highs.
- Web3 (Immunefi) skews extreme — million-dollar bounties exist on critical-impact bugs.
- Tax / payments — keep records; HackerOne issues 1099s for US hunters.
Companion resources
- Hackerone Hacktivity — public report archive; reading these is the best free training.
- Bugcrowd Crowdstream — same.
- Intigriti / YesWeHack public reports.
- Pentester Land's Bug Bounty Writeups — community aggregator.
- InfoSec Write-ups (Medium) — research blogs.
Pick this if…
- Most volume / largest program list: HackerOne.
- EU-heavy programs: Intigriti or YesWeHack.
- Crypto / DeFi only: Immunefi.
- Vetted-only / steady pay: Synack Red Team (apply).
- You're running a program first time: start with Bugcrowd-managed or HackerOne VDP.
- Just want a
security.txtmailbox: RFC 9116 + a PGP key.