A bug bounty program financially rewards external security researchers for responsibly reporting vulnerabilities in an organization’s products or systems. It complements internal security testing with the perspective of independent researchers.
In an ISMS context, bug bounty relates to ISO 27001 Annex A control A.8.8 (Management of Technical Vulnerabilities) and can be considered part of the vulnerability disclosure strategy (A.5.7). Platforms such as HackerOne, Bugcrowd, and Intigriti handle triage, communication, and payouts. Programs range from invite-only (selected researchers) to public. Clear rules — scope, permitted test methods, response times, compensation — are critical for success.