How to get better results from bug bounty programs without wasting money
The wrong bug bounty strategy can flood your team with low-value reports. The right one can surface critical vulnerabilities that would otherwise slip through. A new academic study based on Google’s Vulnerability Rewards Program (VRP) offers rare data on how to tell the difference.
The team behind the study included experts from Harvard, Bocconi University, Hebrew University, and Google Research. They analyzed data before and after a major change in July 2024, when Google increased payouts for the most serious vulnerabilities by up to 200 percent. Their goal was to see how researchers responded when the stakes were raised.
The study found that larger rewards worked. Reports of the most severe bugs, known as Tier 0 vulnerabilities, rose sharply after the payout increase. Submissions rated as high merit, meaning they were well-documented and easier for Google’s teams to act on, also increased. Overall bug submissions went up, but the biggest change came from the most valuable findings.
Money talks, especially for serious bugs
A 100 percent increase in payouts led to about a 20 percent rise in total submissions. However, the response from researchers working on top-tier bugs was far stronger, with the number of these critical reports tripling.
This suggests that simply paying more across the board is not the best strategy. Instead, rewards should be concentrated on the types of vulnerabilities that have the greatest impact on the business. The study notes that lower-value bugs still consume internal resources for triage and remediation, so a surge in volume without an improvement in quality can strain security teams.
Ottilia Westerlund, Hacker Engagement Manager at Intigriti, told Help Net Security that organizations need to be deliberate in how they set payouts. “A useful starting point is to look at other programmes of a similar size and industry to benchmark payouts,” she said. “Consider running targeted campaigns. You could offer extra rewards for medium-to-critical vulnerabilities in specific areas you want more focus on. Another approach is to identify your worst-case scenario vulnerability and attach a significant bonus to encourage researchers to prioritize what matters most to you.”
The people behind the findings
The researchers also examined who was responsible for the increase. They found two trends. Veteran bug hunters shifted their focus toward higher-value targets once the payouts went up. At the same time, a small group of new, highly productive researchers joined the program and quickly started submitting impactful findings.
Most new participants either reported no vulnerabilities or only found a few. This shows that while higher rewards can attract top talent, it does not automatically grow the number of skilled contributors in a meaningful way.
These dynamics matter for companies of all sizes. Many bug bounty programs compete for attention from the same group of experienced researchers. When one program raises its payouts, it can draw those researchers away from other programs, creating a competitive marketplace for talent.
For Christian Toon, Chief Security Strategist at Alvearium Associates, this is why the scope and structure of programs matter as much as money. “Internal teams take the technology as far as they are able based on procedures, process, and standards,” he said. “External researchers are there to potentially mimic the exploits, techniques and tactics used by nefarious actors. To be really effective the scope for external research should be focused on what you’re concerned about should the policies and standards fail. If it’s too wide or reward structure isn’t clear you can end up paying out for low risk items instead of focusing efforts to high risk breach prevention.”
Getting the balance right
The findings highlight the balancing act that comes with running a bug bounty program. Increasing rewards can improve outcomes, but it also raises costs and may lead to more low-quality submissions. Success depends on more than just payout levels. Fast and fair triage, and strong internal processes are essential to managing the volume and maintaining trust with the researcher community.
Metrics matter too. Jukka Seppänen, CISO and CIO at UpCloud, said, “I care most about signal quality, speed, impact, and sustainability in operations. If signal-to-noise ratio trends up while volume stays healthy, the bug bounty program is maturing. Researcher trust lives and dies by responsiveness, so we track time-to-triage, time-to-validate and time-to-fix very closely.”
The experience of researchers can be just as important as payouts. “Researcher experience matters more than reward tables,” Seppänen added. “Fast, human triage and respectful feedback matters more. You should treat the security researchers like partners. It adds up, you will see better write-ups, more logic bugs, and even early pings on shadow assets.”
Trust and engagement over the long term
Money is not the only way to keep researchers motivated. Westerlund said recognition and communication are crucial. “Above all, treat your researchers well. If someone submits an excellent bug, let them know you appreciate it. Transparency also goes a long way. If there are delays, communicate this rather than leaving researchers in the dark,” she said. She added that public “hall of fame” pages, swag, and even live hacking events can help programs stand out.
Toon also stressed the value of trust-building measures. “Safe harbour can really help establish trust with researchers,” he said. “Over VDP terms we’ve also asked for them to spend time (paid) to talk to the business about their work. Other incentives have included branded merch, personalised challenge coins and thank you letters from the CEO.”
The researchers note that the data they studied predates the rise of AI-powered bug hunting tools. These tools are now emerging and could change how programs operate. Future studies will need to examine how automation interacts with human effort and how reward structures might evolve.