Skip to content
Published on

Bug Bounty & VDP Platforms 2026 — HackerOne / Bugcrowd / Intigriti / Synack / YesWeHack / Immunefi / Code4rena / Anthropic Model Safety Deep Dive

🇰🇷KO🇺🇸EN🇯🇵JA
Split View필사 모드
Authors

Prologue — In 2026, Bug Bounty Grew Up

By May 2026, bug bounty is no longer the place where hobby developers play movie hacker. Fourteen years after HackerOne was founded in 2012, the industry has reached adulthood through three stages.

  1. 2012 to 2017 — Self-service era. Facebook, Google, and Microsoft ran their own programs; HackerOne and Bugcrowd aggregated the outside hunters. "A public program, anyone can submit, the triage team handles it." Simple, and noisy.
  2. 2018 to 2023 — Managed era. The noise turned into triage payroll. HackerOne Clear, Bugcrowd Crowdcontrol, and the Synack Red Team started pricing "vetted hunters plus managed triage" as a separate product. In the same window, Immunefi opened a separate market in Web3 with single-report rewards in the $10M range.
  3. 2024 to 2026 — AI, compliance, and Web3 forks. Anthropic opened the Model Safety Bounty in August 2024, the OpenAI Cybersecurity Grant Program funds LLM safety research, CISA BOD 20-01 makes VDPs mandatory for US federal agencies, and the EU Cyber Resilience Act (CRA) forces vulnerability disclosure for every digital product by December 2027. CVE and NVD weathered a 2024 to 2025 backlog crisis but remain the industry reference.

Today this post sorts fifteen major platforms into four quadrants — managed, self-hosted, Web3, AI — explains who each platform is for, what its reward shape and compliance fit look like, and then walks through Korea (KISA, Toss, Kakao) and Japan (IPA, ZOZO, Mercari, LY, DMM) in the same breath.

1. The 2026 Bug Bounty Map — Four Quadrants

First, one picture.

                Managed (platform-handled triage)
            Synack ───────┤
        HackerOne Clear   │   Cobalt.io (PtaaS)
        Bugcrowd Managed  │
   Web2 ◄──────────────────┼──────────────────► Web3 / AI
        Open Bug Bounty   │   Immunefi
        Intigriti (SaaS)  │   Code4rena
        YesWeHack (SaaS)  │   Sherlock
        HackerOne SaaS    │   Hats Finance
                          │   Spearbit / HackenProof
                          │   Anthropic Model Safety
                          │   OpenAI Cybersecurity Grant
                  Self-hosted (you run triage)

The horizontal axis is what you target — traditional web/mobile/API versus smart contracts or LLMs. The vertical axis is operating model — platform handles triage, or your team does.

This grid is the skeleton for the chapters that follow. Each platform owns a small region rather than a single point. HackerOne stretches across SaaS, Managed, VDP, and Pentest; Synack concentrates on the managed corner; Immunefi almost monopolizes one Web3 row.

2. HackerOne — The Biggest, and the IPO That Did Not Land

Founded in San Francisco in 2012, HackerOne is the de-facto industry standard, with over a million cumulative reports and roughly $400M in cumulative rewards. By 2026 estimates put it at over 1.5M registered hunters and more than 1,000 enterprise customers.

Product lines. HackerOne is not one product; it is a bundle.

ProductCore
BountyPublic and private bounty programs
Response (VDP)Free VDP — fits CISA BOD 20-01
PentestScheduled managed pentest
AssessmentsManaged full-scope
AI Red TeamingLLM and multimodal model evaluation

2024 to 2025 trajectory. Long-rumored as an IPO candidate, HackerOne pushed timing back as the market cooled, with revenue tilting toward managed and enterprise contracts. In parallel the AI Red Teaming line grew quickly — OpenAI, Anthropic, and Google DeepMind have run model-safety challenges on HackerOne.

Who should use it. Global SaaS, fintech, and government (the US DoD's Hack the Pentagon runs on HackerOne) are first in line. The downsides are well known — pricing is high, and hunter forums frequently complain about triage SLAs.

In Korea. Toss, LINE, and Kakao partially use HackerOne, but Korean hunters are a small slice of the overall hunter base. The English-only reporting requirement remains a real friction.

3. Bugcrowd — The Direct Competitor, Differentiated by AI Triage

Founded in Australia in 2012, Bugcrowd started almost the same week as HackerOne and offers the same managed / VDP / Pentest lines. The two have built nearly parallel feature sets for fourteen years.

Differentiator. Since 2024, Bugcrowd has pushed AI-assisted triage front and center. Incoming reports get a first-pass LLM classification, duplicate detection, and severity estimation. Hunters report faster response times; the company reports lower triage cost.

Crowdcontrol platform. The core SaaS — program builder, hunter reputation (VRT-based) scoring, automated reward computation, and ServiceNow / Jira / GitHub integrations. It looks like a heavy SOAR, which enterprise security buyers like.

Compliance. Out-of-the-box reports for SOC 2 Type II, ISO 27001, and PCI DSS. The US DoD, Tesla, and parts of OpenAI run programs on Bugcrowd.

Weakness. UI/UX and hunter community activity have a softer reputation than HackerOne. New hunters often feel the count of live programs is lower than they expect.

4. Intigriti — Europe's De-Facto Standard

Started in Antwerp, Belgium in 2016, Intigriti is the largest European bounty platform in 2026, with over 90,000 hunters and more than 500 customers including a long list of European governments, banks, and telcos.

Why Europe stuck with it. Two things compounded.

  1. GDPR / NIS2 / DORA / CRA fit. Data residency, hunter identity verification, and payment flows all stay inside the EU. "Our data does not transit a US platform" is a meaningful sentence to European regulators.
  2. Language and time zone. European sales and triage teams answer during local business hours. The simple fact of getting a CET-morning reply matters more to EU security teams than non-EU observers usually expect.

Features. Same SaaS lines as HackerOne and Bugcrowd — Bounty, VDP, Hybrid Pentest, Live Hacking Event. The Live Hacking Event (such as Intigriti 1337UP) gathers hunters in one city for a 48-hour live run and has become the de-facto conference of the European hunter community.

Who should use it. Companies headquartered in the EU, or anyone whose customers demand strict EU data protection. As the CRA deadline (December 2027) approaches, Intigriti's share is likely to grow further.

5. Synack — The Definition of Vetted-Hunter Managed Pentest

Synack moves on a different axis from every other platform. Founded in 2013 by two former NSA analysts, it sells managed pentest built on the Synack Red Team (SRT) — a vetted, elite hunter group that takes on government, finance, and healthcare customers.

How it differs from open bounty.

  1. Hunter identity is verified. Background checks, technical interviews, and behavioral evaluation. Rejection rates above 90% are widely reported.
  2. Targets are not public. Regular hunters do not even know what company they are testing.
  3. Traffic flows through Synack. All test traffic transits Synack's gateway, where it is recorded and monitored. The customer receives audit logs showing who tried what, when.

Products. SRT for Pentesting (scheduled), SRT for Continuous, and Bounty Hunter (partial rewards). Pricing is well above other SaaS, and reports come at a quality that can be filed directly for SOC 2, FedRAMP, and ISO 27001 audits.

Who should use it. "We want to receive outside hunters, but cannot without identity verification" customers — US federal and state, large finance, healthcare. In short, places where compliance is the buying trigger.

Weakness. Price, and the entry barrier from the hunter side. Most hunters will never get into Synack.

6. YesWeHack — The French EU-Friendly Platform

YesWeHack is a French company founded in Paris in 2013. Where Intigriti grew out of Benelux to cover the EU, YesWeHack grew out of French government contracts and spread to the EU, Asia, and Latin America.

What stands out.

  1. Strong public sector posture. Close ties to ANSSI (France's national cybersecurity agency) and ENISA (the EU cybersecurity agency). UI in French, English, German, Japanese, and Spanish from early on.
  2. Dojo / learning track. Hunter education lives inside the platform — CTF-style challenges grow new hunters before they move to live programs.
  3. Singapore and Tokyo presence. YesWeHack accelerated into Asia in the mid-2020s and offers data residency in Japan and Singapore.

Products. Bounty, VDP, Pentest, and Attack Surface Management — the same SaaS lineup as other EU platforms.

Who should use it. Companies headquartered in France, or multi-region businesses needing EU compliance. In Japan, players such as LY and DMM have explored or partially adopted YesWeHack.

7. Open Bug Bounty — Free, and One-Way Disclosure

Open Bug Bounty is unlike every other platform on this page. Started in 2014, the site is free for site owners. When a hunter finds XSS, information disclosure, or misconfiguration on a site, Open Bug Bounty takes on the duty of notifying the site owner. Any reward is set unilaterally by the owner.

The model.

  1. Hunters can find and report vulnerabilities on any site without prior consent.
  2. Open Bug Bounty observes a 90-day coordination window during which the hunter holds disclosure.
  3. After 90 days or after a patch, the hunter retains the right to publish the finding (category and affected domain).

Upside. Small sites, NGOs, schools, and government subdomains that do not have the resources to run a formal bounty still get a notification channel. Cumulative reports exceed 1.3 million.

Downside. "Testing without prior consent" lives in a criminal-law grey area in the US and parts of the EU. Hunters who go too far risk CFAA or UK CMA exposure. From the site owner's perspective, unsolicited external scanning carries PR risk.

Who should use it. Small organizations that want a notification channel without a budget, or hunters who want a learning-grade first report.

8. Cobalt.io — The Definition of PtaaS

Cobalt.io is not a bounty company — it is a PtaaS (Pentest as a Service) company. Founded in 2013, it sells managed pentest like SaaS. Customers click "Start a test" in a dashboard and Cobalt rapidly matches them with vetted pentesters drawn from its Cobalt Core pool.

Why it gets its own category. Open bounty is outcome-priced — hunters get paid only when they find a finding. PtaaS is time-priced — pentesters work a fixed window and bill hourly or per project. The two differ in revenue recognition, compliance report format, and hunter incentive structure.

Cobalt Core. A pool of roughly 400 vetted pentesters. Vetting is lighter than Synack SRT (mostly technical interview and reputation) but heavier than open bounty.

Customers. Mid-market SaaS, fintech startups, and companies pursuing their first SOC 2 or ISO 27001. PtaaS sits squarely on the line of "we need an external pentest for compliance, but cannot afford a full consulting firm."

9. Immunefi — Web3 with a Single-Report $10M Reward

Immunefi, launched in 2020, is the Web3-only bounty platform. While the others handle Web2, Immunefi targets smart contracts, bridges, DEXes, and DAOs.

Scale. Over 110Mincumulativepayouts,withthelargestsinglereportaround110M in cumulative payouts, with the largest single report around 10M (Wormhole in 2022). General web/mobile bounty payouts average well below $1K; this is a different order of magnitude.

Why so large. A single smart contract can lock billions of dollars in user assets, and one exploit can vaporize them. A single critical bug, by averting that loss, defines the reward — DeFi protocols routinely promise 5 to 10 percent of TVL as the critical cap.

Payout shape. Fixed amounts per severity (critical, high, medium, low) plus caps. Payouts arrive mainly in stablecoins (USDC, USDT); some portion may pay in the protocol's native token.

Weakness. The barrier is steep. You need deep Solidity, EVM, and newer-chain VM knowledge to find a critical finding. Token-denominated rewards also lose real value during downturns.

Who should use it. DeFi, NFT, infrastructure protocol, and bridge operators. From the hunter side, anyone with a Web3 / Solidity background lands where the biggest single rewards are.

10. Code4rena / Sherlock / Hats Finance / Spearbit / HackenProof — Web3 Specialization

Beyond Immunefi, Web3 security has several adjacent models. Five short takes.

Code4rena. Time-limited code contests — typically 5 to 21 days during which a protocol's new code base is opened for simultaneous audit by registered Wardens. Findings are scored by severity and split a fixed prize pool (for example $100K) by weighted contribution. Because the code is exposed only during the window, costs are predictable for the protocol.

Sherlock. Smart-contract audit plus insurance. Audited code receives a Sherlock-backed exploit-loss guarantee for some period. The auditor carries direct incentive to "own bugs I missed."

Hats Finance. Decentralized bounty — the protocol stakes its own contract, rewards are locked in escrow, and a committee vote releases payment when a report comes in. No central triage company in the loop.

Spearbit. Full-time audit consulting — single deep engagements rather than a marketplace. More boutique senior-auditor firm than bounty platform. Optimism, Aave, and Lido are regular customers.

HackenProof. Ukraine / EU-based hybrid Web3 + Web2 bounty. Sits inside the Hacken group, packaged with Web3 audit reports and live bounty in the same offering.

11. BugBase / Hackrate — The Newcomers

Two newcomers sit alongside the giants.

BugBase (India). Founded in India in 2021. Quickly assembled an Indian hunter community and Asian-headquartered customers. Friendly to local payment infrastructure (UPI, INR). For Indian and ASEAN customers, BugBase is often the closest local platform.

Hackrate. Hungary-based, in Budapest. Targets central and eastern European companies. Lighter and cheaper than Intigriti, which lets small SaaS and public agencies adopt with lower friction.

Their global market share is small, but in their respective regions they are surprisingly strong because of "local payments plus local compliance plus local hunter community."

12. AI Bug Bounty — Anthropic Model Safety / OpenAI Cybersecurity Grant

A new category opened in 2024: the model itself is the target.

Anthropic Model Safety Bounty (August 2024). Anthropic opened a public bounty on its Constitutional Classifier. The target is the "universal jailbreak" — a single prompt that simultaneously bypasses every safety category. The top single-finding reward is around $15K. A 2025 follow-up round extended evaluation items in line with Anthropic's Responsible Scaling Policy.

OpenAI Cybersecurity Grant Program. Funding from OpenAI for academic and security researchers, running since 2023. More research grant than bounty, but the output feeds directly into GPT-family safety evaluation. Rounds run on the order of $1M total.

HackerOne / Bugcrowd AI Red Teaming lines. Existing platforms have separate lines for LLM and multimodal targets. Categories follow the OWASP LLM Top 10 (prompt injection, training data leakage, insufficient output handling, etc.) rather than classic OWASP.

Why a separate category. AI targets blur the notion of a "reproducible exploit." The same prompt that was blocked yesterday may go through today. Rewards therefore track new criteria — reproducible jailbreak consistency, severity, and generality.

13. CVE Program — MITRE, NIST NVD, and the 2024 to 2025 Backlog Crisis

Independent of platforms, official identifiers (CVE IDs) run on a separate track.

CVE Program. MITRE launched it in 1999. Each disclosed vulnerability gets a unique CVE-YYYY-NNNNN identifier. About 400 CNAs (CVE Numbering Authorities) can issue CVEs in their own domain — Microsoft, Red Hat, GitHub, etc. By 2026 cumulative issuance is around 350,000.

NIST NVD. Enriches CVEs with severity (CVSS), CPE, and CWE data to form a searchable database. Run by US NIST.

2024 to 2025 crisis. Two events shook the system.

  1. NVD backlog explosion. Starting in spring 2024 NIST could not enrich new CVEs fast enough, and the backlog grew to over 80,000 items waiting for analysis at its peak.
  2. MITRE contract expiry scare (April 2025). The MITRE operating contract for the CVE Program nearly lapsed, and CISA stepped in at the last minute with an 11-month bridge. In the same window ENISA stood up the EU Vulnerability Database (EUVD).

Result. The industry began shifting away from sole NVD dependence. GitHub Advisory, OSV.dev, VulnCheck, CISA KEV, and ENISA EUVD have taken on roles as supplementary sources, and internal SBOM / vulnerability matching now routinely fuses several sources.

14. VDP Standardization — CISA BOD 20-01 and the EU CRA

If bounty is optional, VDP (Vulnerability Disclosure Program) is in the process of becoming mandatory.

CISA BOD 20-01 (September 2020). A Binding Operational Directive from CISA under the US Department of Homeland Security. Every executive-branch federal agency must:

  1. Provide a public channel (typically security.txt) for outside researchers to submit vulnerability reports.
  2. Acknowledge submissions within 30 days.
  3. Commit to no legal threats (explicit safe harbor).
  4. Publish the disclosure policy.

EU CRA (Cyber Resilience Act). Adopted in 2024, full application by December 2027. Every digital product (software plus hardware) sold in the EU must:

  1. Report actively exploited vulnerabilities to ENISA / CSIRT within 24 hours.
  2. Publish a Coordinated Vulnerability Disclosure (CVD) policy.
  3. Provide patches for a minimum of five years (or a reasonable period).
  4. Maintain an SBOM.

Result. Even companies with very small security teams need at least a VDP channel. HackerOne Response, Bugcrowd VDP, Intigriti VDP, and YesWeHack VDP all target this space at zero or low cost. The era of "drop a security.txt file and reply when you feel like it" is ending.

15. Korea — KISA, Toss, and Kakao

Korea has a small share on global platforms, but a healthy domestic ecosystem.

KISA (Korea Internet & Security Agency) Bug Bounty.

  1. Runs an annual "Bug Bounty Festival." Hunters work a curated pool of Korean public and private sites simultaneously.
  2. Reports go through the KrCERT/CC channel; rewards combine government funding and participating-company matching, typically from KRW 500,000 to KRW 10 million per finding.
  3. The notable difference is that reports are accepted in Korean rather than English.

Toss (Viva Republica). A consistent self-run bounty since 2019. Single-finding rewards in the KRW 100 million range have been publicly reported, reflecting the high impact of critical findings against a fintech target. Reports flow through a self-run channel plus partial HackerOne use.

Kakao. Kakao's security page provides both VDP and bounty channels. Domains across LINE-related properties are aggregated, and reward tiers are set internally.

LY Corporation (Korea-Japan joint). As LY in Japan, this overlaps with the next chapter. For Korean hunters, additional Japanese-side targets join the scope.

Language, payment, tax. Rewards from global platforms count as foreign currency receipts for Korean hunters and trigger tax filing obligations. One reason KISA, Toss, and Kakao remain attractive for domestic hunters is the simplicity of the payout process.

16. Japan — IPA, ZOZO, Mercari, LY, DMM

Japan took a different path.

IPA (Information-technology Promotion Agency). Operates the J-CSIP information-sharing network among others, but does not directly run a public bounty festival. Instead, IPA encourages corporate VDP adoption via its vulnerability handling guidelines.

ZOZO. Fashion e-commerce. Started a self-run bounty in 2019, one of Japan's first serious corporate bounties. Partial HackerOne use.

Mercari. C2C marketplace. Established a self-run bounty early and operates on HackerOne and BugBounty.jp.

LY Corporation (LINE + Yahoo Japan merger). Since the 2023 merger, LY runs a unified bounty across a wide domain set (LINE, Yahoo, PayPay).

DMM. Content / gaming / fintech conglomerate. Runs a self-run bounty alongside domestic platform use.

BugBounty.jp. A Japan-local platform. Japanese UI and Japan-tax-friendly payouts. Like the KISA pool in Korea, it lowers the entry barrier for Japanese hunters.

Korea / Japan summary. Korea splits into public bounty festivals via KISA plus large corporate self-run programs. Japan delegates guidance to IPA and leaves bounty operation to corporates like ZOZO, Mercari, LY, and DMM. Both rely more on domestic channels than on global platforms.

17. How to Start — From Both the Hunter and the Company Side

The closing chapter has two paths.

Hunter side — the first year

  1. Read OWASP Top 10, OWASP API Top 10, and OWASP LLM Top 10 end to end. Almost every report category lives here.
  2. Complete the PortSwigger Web Security Academy for free. SSRF, IDOR, auth/session, CORS, injection — get them into your hands.
  3. Open accounts on HackerOne, Bugcrowd, and Intigriti, and start with public VDPs. Even without payout it is the best way to learn the report lifecycle.
  4. Submit 2 to 3 learning-grade reports on Open Bug Bounty, but check your jurisdiction's law first (Korea's Information and Communications Network Act, Japan's Act on Prohibition of Unauthorized Computer Access, US CFAA).
  5. Use domestic channels. Korean hunters can start with the KISA festival, Toss, or Kakao; Japanese hunters with BugBounty.jp, ZOZO, Mercari, or LY. No English-report overhead.
  6. Pick a direction at the six-month mark. Traditional web/mobile points to HackerOne and Intigriti; managed pentest as a profession points to Cobalt Core or a Synack SRT interview; smart contracts point to Immunefi, Code4rena, and Sherlock.

Company side — the first six months

  1. Start with a VDP. Before any paid bounty, publish security.txt and a reporting channel. The CISA BOD 20-01 template, or the disclose.io free guide, is enough.
  2. Promise no legal threats. Safe Harbor language must be explicit. Without it, no serious hunter will engage — promise non-prosecution against CFAA, the Korean ICN Act, and the Japanese Unauthorized Access Act.
  3. Match the platform to compliance. Check which reports you need (SOC 2, ISO 27001, PCI, GDPR, NIS2, DORA, CRA). US government implies HackerOne, Synack, or Bugcrowd; EU implies Intigriti or YesWeHack; global SaaS implies HackerOne or Bugcrowd.
  4. Triage team or managed. For the first six months, managed is almost always right. Trying to build an in-house triage team from day one drowns it in noise.
  5. Reward curve. Spell out the reward per severity (P1 critical to P5 informational). Set critical slightly above market to attract serious hunters.
  6. Private beta first. Run a 30 to 90-day private beta with invited trusted hunters before opening to the public, so the volume and shape of incoming reports is known before going wide.

18. Closing — One Industry, Four Textures

The four-quadrant diagram from the top is also the conclusion.

  1. Managed Web2. HackerOne Clear, Bugcrowd Managed, Synack, Cobalt.io. Vetted hunters, platform-handled triage, audit-ready reports. Higher cost buys guaranteed output quality.
  2. Self-hosted Web2. HackerOne SaaS, Bugcrowd SaaS, Intigriti, YesWeHack, Open Bug Bounty. The right fit for companies willing to run an internal triage function.
  3. Web3. Immunefi (ongoing high rewards), Code4rena (time-limited contest), Sherlock (audit plus insurance), Hats Finance (decentralized), Spearbit (boutique), HackenProof (hybrid). The only region where single-finding rewards reach single-digit millions of dollars.
  4. AI. Anthropic Model Safety, OpenAI Cybersecurity Grant, HackerOne / Bugcrowd AI Red Teaming. The target is the model itself, and the evaluation criteria follow OWASP LLM Top 10 and per-vendor safety policy rather than classic OWASP.

Two cross-cutting threads run across all four. First, CVE / NVD identifiers tie every quadrant to a single track. Second, VDP is becoming effectively mandatory through CISA BOD 20-01 and the EU CRA.

The one-line summary for 2026 is short. Bug bounty is no longer a single industry where "anyone submits a finding into a public program." It is four industries — managed, self-hosted, Web3, AI — each with different pricing, different compliance, different hunter pools, and different reward curves. Both sides need to pick their corner. That is the one line.

References

Discuss on TwitterView on GitHub