Tooling

Bug Bounty Platforms

HackerOne, Bugcrowd, Intigriti, YesWeHack — where to hunt and where to receive.

Bug bounty platforms broker between researchers and companies — handle scope, triage, payment, disclosure. The 2024–26 landscape: HackerOne and Bugcrowd dominate the US, Intigriti and YesWeHack are strong in EU, Immunefi owns web3, and platform-less direct-disclosure (security.txt) still matters. For your own bounty workflow see Bug-Bounty Recon Workflows. For training programs see Security Training Platforms. For pentest reporting see Pentest Reporting.

The big platforms — for hunters

  • ★ ★ HackerOne — the largest; broadest set of public + private programs; pays via Hyperwallet / PayPal / Coinbase / wire. Free to participate.
  • Bugcrowd — major competitor; pays via PayPal / Payoneer / wire; "Researcher Levels" gating private invites. Free.
  • Intigriti — Belgium-based; growing fast; many EU programs; researcher-friendly UX. Free.
  • YesWeHack — France-based; many EU government and gov-adjacent programs; good triage. Free.
  • Synack Red Team — vetted-researcher only; application required; paid hourly + bounties; private programs only.
  • Hackrate (HUN) — newer EU platform.
  • HackenProof — web3-leaning bug bounty + smart-contract.
  • Bountti / IntigritiX / YesWeHackX — emerging niche programs.
  • Open Bug Bounty — non-commercial; for finding XSS / misconfigs on any site, with limited scope; donation-based. Free.

Web3 / smart contracts

  • Immunefi — the dominant web3 platform; multi-six-figure (sometimes seven) bounties on DeFi protocols. Free.
  • HackenProof Web3 / Code4rena (audit contests) — competitive audit / bounty hybrids.
  • Cantina (Spearbit) — newer audit-marketplace.
  • Sherlock — audit competitions for DeFi.
  • HackerOne / Bugcrowd web3 programs — fewer but growing.

For companies — running a program

  • HackerOne / Bugcrowd / Intigriti / YesWeHack all offer "managed program" tiers (paid).
  • Self-managed direct disclosure:
    • /security.txt (RFC 9116) — see security.txt.
    • security@yourdomain.com mailbox + PGP key.
    • GitHub Security Advisories — for open-source projects; free.
    • VDP (Vulnerability Disclosure Program) — non-paid disclosure.
  • Crowdsource disclosure platforms — Federacy, Cobalt VDP.

Pentest-as-a-service (overlap)

  • Cobalt — paid; pentest-as-a-service; integrates with Vanta / Drata. See Compliance (SOC 2 / ISO).
  • Synack — same.
  • HackerOne Pentest — bug-bounty-platform-style pentest.

Policies / reporting expectations

  • Disclosure timelines: typical 90 days then public.
  • Out-of-scope rules: every program defines them; read first.
  • Duplicate handling: report quality, evidence, time matter.
  • CVSS — most platforms use 3.1; HackerOne added 4.0 support 2024.
  • Severity caps — many programs cap by domain / asset; check the brief.

What a great report looks like

  • Clear PoCcurl reproduction or screen-recording.
  • Impact described in business terms, not "could lead to RCE if … if … and the moon."
  • Affected scope listed with specific URLs.
  • Mitigation suggestion — programs love when you do half the fix work.
  • Severity assigned with CVSS — but expect their triage to re-score.

Bounty money realities

  • Top hunters earn $300–800k/yr on platforms; that's a tiny minority.
  • Most hunters earn $5–50k/yr if part-time and lucky.
  • Many programs have $50–250 minimums, $5–25k highs.
  • Web3 (Immunefi) skews extreme — million-dollar bounties exist on critical-impact bugs.
  • Tax / payments — keep records; HackerOne issues 1099s for US hunters.

Companion resources

  • Hackerone Hacktivity — public report archive; reading these is the best free training.
  • Bugcrowd Crowdstream — same.
  • Intigriti / YesWeHack public reports.
  • Pentester Land's Bug Bounty Writeups — community aggregator.
  • InfoSec Write-ups (Medium) — research blogs.

Pick this if…

  • Most volume / largest program list: HackerOne.
  • EU-heavy programs: Intigriti or YesWeHack.
  • Crypto / DeFi only: Immunefi.
  • Vetted-only / steady pay: Synack Red Team (apply).
  • You're running a program first time: start with Bugcrowd-managed or HackerOne VDP.
  • Just want a security.txt mailbox: RFC 9116 + a PGP key.

On this page