Bug bounty platforms claim to connect security researchers with companies. In reality, they're intermediaries extracting value from both sides while researchers do skilled labor for poor wages.

The economics are broken. Companies get critical vulnerabilities fixed for less than a junior developer's daily rate. Platforms take 20% cuts for running a web form. Researchers get paid $500 for finding bugs that would cost $50,000 or more on the gray market.

Nobody in this equation benefits except the platforms. A critical remote code execution vulnerability in a SaaS product should be worth significantly more than what bug bounty programs pay. Here's the actual market rate comparison:

• Bug Bounty Program: $500 - $5,000

• Responsible Disclosure (no bounty): $0

• Gray Market (Zerodium, etc.): $50,000 - $500,000

• Nation-State Buyers: $500,000 - $2,500,000

The gap between bug bounty payouts and actual market value is 100x to 500x. Researchers are expected to do the right thing while leaving 99% of the value on the table.

Economics

Most bug bounty platforms take a 20% cut. Some charge companies setup fees, monthly fees, or take even larger percentages. Here's what that looks like:

• Researcher finds critical RCE: 40 hours of work

• Company bounty: $2,500 Platform cut (20%): $500

• Researcher payout: $2,000

• Effective hourly rate: $50/hour

That $50/hour is before:

• Taxes (20-40% depending on jurisdiction and other factors)

• Time spent on duplicates and rejected reports

• Infrastructure costs (VPS, tools, domains for testing)

• Unpaid time learning and researching new vulnerabilities

Real effective rate after accounting for all work: $15-20/hour for skilled security work.

Meanwhile, penetration testers bill $200-400/hour. The same researcher doing the same work gets paid 10-20x less through bug bounties.

Duplicates

Most serious vulnerabilities are found within hours of program launch by multiple researchers simultaneously. Only the first report gets paid.

You spend 20 hours finding a critical SQL injection. You write a detailed report with proof-of-concept, impact analysis, and remediation steps. You submit it.

"Duplicate. This was already reported 30 minutes ago."

You get $0. The platform still takes their 20% from the other researcher's payout. You subsidised their business model with free labor.

Triage

Bug bounty platforms employ "triage teams" to review submissions. In theory, this helps companies by filtering out noise. In practice, it adds another layer that doesn't understand the reported vulnerability.

I've seen critical vulnerabilities marked as "informational" by triage teams because they didn't understand the exploit chain. I've seen SQLi marked as duplicate of XSS because both were "injection vulnerabilities." I've seen valid reports closed as "won't fix" and then silently patched two weeks later with no payout.

The triage team has zero incentive to advocate for researchers. They're paid by the platform, which is paid by companies. Their incentive is to minimise payouts and close reports quickly.

Scope Creep and Retroactive Rules

You spend weeks testing a target. You find a critical vulnerability in a domain that's in scope. You report it.

"Out of scope. We updated the scope yesterday to exclude that subdomain."

Or:

"This type of vulnerability is excluded per our policy update from last week."

Or my personal favorite:

"This is a duplicate of a vulnerability we fixed last year and never disclosed."

Bug bounty programs can change rules retroactively. Researchers have no recourse. The platform sides with the paying customer (the company) every time.

A Race to the Bottom

Because bug bounties pay so little, they attract researchers who:

1. Are in countries with low cost of living

2. Are students/hobbyists who don't value their time

3. Use automated scanners and submit everything (creating noise)

4. Don't know their work is worth 100x more

This creates a race to the bottom. Why would a company pay $10,000 when someone in a developing country will report it for $500? Why would platforms advocate for higher payouts when volume is more profitable than quality?

The result: experienced researchers leave the bug bounty ecosystem. Quality of reports declines. Companies get flooded with low-quality automated scanner output. Everyone loses except the platforms, who get paid per report processed.

Publicity

Many bug bounty programs exist purely for PR. "We have a bug bounty program" signals that the company takes security seriously. The actual payouts tell a different story:

• Maximum bounty: $10,000 (looks good in marketing)

• Average bounty paid: $150

• Median bounty paid: $50

• Number of critical vulnerabilities found: 47

• Highest payout for critical vulnerability: $500

The "$10,000 maximum bounty" is marketing. The reality is $50 for finding exploitable bugs in production systems.

"Exposure"

Platforms and companies defend low bounties with:

"You get exposure!" "You're building your reputation!" "It's responsible disclosure!" "Think of it as practice!"

This is the same argument used to exploit artists, musicians, and writers. "Work for free/cheap for the exposure."

Security researchers don't need exposure. They need money. Skills that find RCE in production systems are worth real money. Asking researchers to work for "reputation points" while companies save millions on security audits is exploitation.

What Companies Are Actually Saving

A professional penetration test costs $5,000 - $50,000+ depending on scope. Companies using bug bounties as their primary security testing model are getting:

• Continuous testing (not point-in-time)

• Diverse researcher skill sets

• Global coverage (researchers in all time zones)

• No upfront costs

• Pay-per-vulnerability instead of flat fee

A bug bounty program that pays out $100,000/year is replacing $500,000+ worth of professional security testing. The platform takes $20,000 of that. Researchers split $80,000 while doing half a million dollars worth of work.

The value extraction is staggering.

Revenue Models

Bug bounty platforms are profitable businesses. HackerOne, Bugcrowd, Synack - all have raised hundreds of millions in VC funding. Their unit economics work because:

• Take 20% of all payouts (pure margin)

• Charge companies platform fees

• Sell "managed programs" at premium prices

• Pay researchers as little as possible

• No inventory, no overhead, no liability

It's a classic marketplace play: connect two sides, extract maximum value, provide minimum infrastructure.

The researcher does the skilled work. The company gets the value. The platform takes the cut. Who's being exploited here?

What Actually Needs to Change

• Minimum bounty standards: Critical vulnerabilities should have floor prices ($10,000+)

• No platform cuts on bounties: Platforms should charge companies directly, not take cuts from researcher payouts

• Duplicate protection: If multiple researchers find the same bug within a reasonable window, split the bounty

• Binding scope: Companies can't change scope retroactively to avoid payouts

• Independent arbitration: Disputes resolved by third parties, not platform-employed triage teams

• Disclosure rights: Researchers can disclose after 90 days regardless of fix status

None of this will happen voluntarily. Platforms are profitable under the current model. Companies get cheap security testing. Researchers lack negotiating power.

Final Thoughts

Bug bounty platforms have successfully convinced the security industry that paying researchers 1% of market value is "ethical" and "responsible."

It's not. It's exploitation with good PR.

The platforms extract value by positioning themselves between researchers and companies, taking cuts while providing minimal infrastructure. Companies get professional security testing at fraction of market rates. Researchers get poverty wages for skilled work.

The bug bounty model could work if payouts reflected actual value. A critical RCE should pay $50,000, not $500. Platforms should charge companies service fees, not extract from researcher payouts. Duplicates should be handled fairly.

But that would require platforms to care about researchers as much as they care about companies. And companies are the ones paying the bills.

So instead, we have a system that works great for platforms and companies, and barely works for researchers. And we call it "ethical hacking."

The economics are broken. The incentives are broken. The only question is how long researchers will keep accepting it.