feature Thirty years ago, Netscape kicked off the first commercial bug bounty program. Since then, companies large and small have bought into the idea, with mixed results.

Bug bounties seem simple: a flaw finder spots a vulnerability, responsibly discloses it, and then gets a reward for their labor. But over the past decades, they've morphed into a variety of forms for commercial and government systems, using different payment techniques and platforms, and some setups are a lot more effective than others.

Commercial bug bounties spread slowly at first, and the idea was initially fraught with danger for researchers. Some companies sued outsiders who found problems with their software.

In 2005, Internet Security Systems (ISS) researcher Michael Lynn and the organizers of the Black Hat sec

See Full Page