A bug bounty is a reward offered by the owners of a website, software company, or other business to outside individuals in return for finding and reporting bugs in a system. Companies offer these rewards to incentivize ethical white-hat hackers to identify security holes before criminal hackers do. Rewards are usually a mix of financial compensation and professional recognition for the hacker.
While most software companies employ their own in-house security researchers to find and resolve possible security holes, an outside perspective is always valuable. A zero-day exploit discovered and used by a black-hat hacker can cause a company significant financial loss, a public relations fiasco, or even legal liability. The bounty paid to a hacker to identify a potential security problem is often money well spent.
The amount of money offered per bug varies, depending on the company offering the bounty and the expected impact of the identified bug. Small bounties are often a few hundred dollars, while more impactful bugs can fetch tens or even hundreds of thousands of dollars. The biggest bug bounties from large tech companies like Apple, financial institutions, and cryptocurrency blockchain groups can pay a skilled hacker several million dollars for a single bug.