Security Engineer
Manhattan, NY · On-site
... our bug bounty program end to end: triage, response, remediation, and researcher communication • Partner with Engineering to embed secure design patterns and security review into how we ship ...
Security Engineer
Manhattan, NY · On-site
... our bug bounty program end to end: triage, response, remediation, and researcher communication • Partner with Engineering to embed secure design patterns and security review into how we ship ...
Staff+ Application Security Engineer
San Francisco, CA · On-site +1
$69.25 - $92.50/hr
Oversee Anthropic's bug bounty program. Set scope, validate submissions, perform root cause analysis, coordinate remediation with engineering teams, and award bounties. Cultivate relationships with ...
Staff+ Application Security Engineer
San Francisco, CA · On-site +1
$69.25 - $92.50/hr
Oversee Anthropic's bug bounty program. Set scope, validate submissions, perform root cause analysis, coordinate remediation with engineering teams, and award bounties. Cultivate relationships with ...
CNO Developer
Chantilly, VA · On-site
$129K - $177K/yr
Desire to contribute to CTF events, bug bounty programs, and speaking at the security conferences * Rapid Prototype Software Development Security Clearance: * Active TS/SCI level clearance. Must be ...
CNO Developer
Chantilly, VA · On-site
$129K - $177K/yr
Desire to contribute to CTF events, bug bounty programs, and speaking at the security conferences * Rapid Prototype Software Development Security Clearance: * Active TS/SCI level clearance. Must be ...
Lead and administer the HackerOne bug bounty and vulnerability disclosure program and collaborate with engineering team to remediate critical vulnerabilities, preventing security breaches. Work with ...
Lead and administer the HackerOne bug bounty and vulnerability disclosure program and collaborate with engineering team to remediate critical vulnerabilities, preventing security breaches. Work with ...
Member of Technical Staff (Software Engineer, Security)
New York, NY · On-site +1
$220K - $405K/yr
Develop and operate systems and workflows that support the bug bounty and vulnerability disclosure program, including intake, triage, prioritization, and remediation tracking. * Partner with product ...
Member of Technical Staff (Software Engineer, Security)
New York, NY · On-site +1
$220K - $405K/yr
Develop and operate systems and workflows that support the bug bounty and vulnerability disclosure program, including intake, triage, prioritization, and remediation tracking. * Partner with product ...
Create and operate a bug bounty program * Triage and recommend solutions for security bugs from tools, third party assessments and bug bounties * Collaborate with the CISO and security team to grow ...
Create and operate a bug bounty program * Triage and recommend solutions for security bugs from tools, third party assessments and bug bounties * Collaborate with the CISO and security team to grow ...
Technical Program Manager - Security
Seattle, WA · Remote
$130K - $170K/yr
Experience managing cross-functional, large-scale technical security programs, including the Security Vulnerability Program, Security Exceptions Program, and Bug Bounty Program * Familiar with ...
Technical Program Manager - Security
Seattle, WA · Remote
$130K - $170K/yr
Experience managing cross-functional, large-scale technical security programs, including the Security Vulnerability Program, Security Exceptions Program, and Bug Bounty Program * Familiar with ...
CNO Developer
Chantilly, VA · On-site
$130K - $178K/yr
... events, bug bounty programs, and speaking at the security conferences • Rapid Prototype Software Development Company : Accenture Federal Services is a leading US federal services company and ...
CNO Developer
Chantilly, VA · On-site
$130K - $178K/yr
... events, bug bounty programs, and speaking at the security conferences • Rapid Prototype Software Development Company : Accenture Federal Services is a leading US federal services company and ...
Create and operate a bug bounty program * Triage and recommend solutions for security bugs from tools, third party assessments and bug bounties * Collaborate with the CISO and security team to grow ...
Create and operate a bug bounty program * Triage and recommend solutions for security bugs from tools, third party assessments and bug bounties * Collaborate with the CISO and security team to grow ...
Technical Program Manager - Security
Seattle, WA · On-site +1
$130K - $170K/yr
Experience managing cross-functional, large-scale technical security programs, including the Security Vulnerability Program, Security Exceptions Program, and Bug Bounty Program * Familiar with ...
Technical Program Manager - Security
Seattle, WA · On-site +1
$130K - $170K/yr
Experience managing cross-functional, large-scale technical security programs, including the Security Vulnerability Program, Security Exceptions Program, and Bug Bounty Program * Familiar with ...
Technical Program Manager - Security
Seattle, WA · Remote
$130K - $170K/yr
Experience managing cross-functional, large-scale technical security programs, including the Security Vulnerability Program, Security Exceptions Program, and Bug Bounty Program * Familiar with ...
Technical Program Manager - Security
Seattle, WA · Remote
$130K - $170K/yr
Experience managing cross-functional, large-scale technical security programs, including the Security Vulnerability Program, Security Exceptions Program, and Bug Bounty Program * Familiar with ...
Senior Application Security Engineer
San Francisco, CA · On-site
$160K - $240K/yr
Hands-on experience in offensive security (eg, through bug bounty programs or CTFs) The salary range for this role is $160,000 - $240,000. The salary for this position is determined based on a ...
Senior Application Security Engineer
San Francisco, CA · On-site
$160K - $240K/yr
Hands-on experience in offensive security (eg, through bug bounty programs or CTFs) The salary range for this role is $160,000 - $240,000. The salary for this position is determined based on a ...
CNO Developer
Chantilly, VA · On-site
$130K - $178K/yr
... events, bug bounty programs, and speaking at the security conferences • Rapid Prototype Software Development Company : Accenture Federal Services is a leading US federal services company and ...
CNO Developer
Chantilly, VA · On-site
$130K - $178K/yr
... events, bug bounty programs, and speaking at the security conferences • Rapid Prototype Software Development Company : Accenture Federal Services is a leading US federal services company and ...
Application Security Analyst
Miami, FL · On-site
Background in bug bounty programs or red teaming * Familiarity with AI or machine learning evaluation workflows Why Join Us * Work directly on cutting-edge AI projects with top research labs * Fully ...
Application Security Analyst
Miami, FL · On-site
Background in bug bounty programs or red teaming * Familiarity with AI or machine learning evaluation workflows Why Join Us * Work directly on cutting-edge AI projects with top research labs * Fully ...
... bug bounty and vulnerability disclosure program, including intake, triage, prioritization, and remediation tracking. • Partner with product and engineering teams to threat model new features and ...
... bug bounty and vulnerability disclosure program, including intake, triage, prioritization, and remediation tracking. • Partner with product and engineering teams to threat model new features and ...
Head of Security
San Francisco, CA · On-site
$240K - $280K/yr
Manage our Bug Bounty Program * Implement security controls across Merge, from infrastructure to CI * Implement and run manual and automated security practices to mitigate vulnerabilities * Assist ...
Head of Security
San Francisco, CA · On-site
$240K - $280K/yr
Manage our Bug Bounty Program * Implement security controls across Merge, from infrastructure to CI * Implement and run manual and automated security practices to mitigate vulnerabilities * Assist ...
Security Engineer
New York, NY · On-site
... Bug Bounty & Vulnerability Management Be the primary owner of our ImmuneFi program - triaging, reproducing, and responding to incoming submissions daily Prioritize and track vulnerabilities through ...
Security Engineer
New York, NY · On-site
... Bug Bounty & Vulnerability Management Be the primary owner of our ImmuneFi program - triaging, reproducing, and responding to incoming submissions daily Prioritize and track vulnerabilities through ...
AppSec SME
$60.25 - $80.25/hr
Monitor and track the Bug bounty vulnerabilities and remediation closure * Track the coverage of ... Manage the program and communicate with client team * Identify, manage risks and provide risks ...
AppSec SME
$60.25 - $80.25/hr
Monitor and track the Bug bounty vulnerabilities and remediation closure * Track the coverage of ... Manage the program and communicate with client team * Identify, manage risks and provide risks ...
Personal Systems Security Response Senior Manager
Shenandoah, TX · On-site
$147K - $230K/yr
Leadership and management of bug bounty program * Pan-HP contribution to security response standards and initiatives * Established/maintain closed-loop feedback mechanisms with Sales, Support, and ...
Personal Systems Security Response Senior Manager
Shenandoah, TX · On-site
$147K - $230K/yr
Leadership and management of bug bounty program * Pan-HP contribution to security response standards and initiatives * Established/maintain closed-loop feedback mechanisms with Sales, Support, and ...
Experience in penetration testing, secure code review, or bug bounty programs * Familiarity with threat modeling frameworks or security design patterns * Background in cloud-native, API-first, or ...
Experience in penetration testing, secure code review, or bug bounty programs * Familiarity with threat modeling frameworks or security design patterns * Background in cloud-native, API-first, or ...
Bug Bounty Program information
See salary details
$16.35 - $22.01
6% of jobs
$22.01 - $27.67
14% of jobs
$31.30 is the 25th percentile. Wages below this are outliers.
$27.67 - $33.33
7% of jobs
$33.33 - $38.99
1% of jobs
$38.99 - $44.65
13% of jobs
The median wage is $47.88 / hr.
$44.65 - $50.31
15% of jobs
$50.31 - $55.97
3% of jobs
$55.97 - $61.63
9% of jobs
$65.30 is the 75th percentile. Wages above this are outliers.
$61.63 - $67.29
11% of jobs
$67.29 - $72.95
15% of jobs
$72.95 - $78.61
6% of jobs
$16
$49
$78
How much do bug bounty program jobs pay per hour?
As of Jun 26, 2026, the average hourly pay for bug bounty program in the United States is $49.60, according to ZipRecruiter salary data. Most workers in this role earn between $31.73 and $66.83 per hour, depending on experience, location, and employer.
How do I join a bug bounty program?
To join a bug bounty program, you typically need to register on the platform hosting the program, such as HackerOne or Bugcrowd, and agree to their rules and scope. Developing skills in web security, using tools like Burp Suite or OWASP ZAP, and understanding responsible disclosure are essential. Some programs may require prior experience or certifications like OSCP or CEH.
What are some common challenges faced by professionals managing a Bug Bounty Program?
Professionals overseeing a Bug Bounty Program often encounter challenges such as efficiently triaging a high volume of vulnerability reports, ensuring clear communication with security researchers, and balancing quick response times with thorough investigation. Additionally, maintaining strong relationships with both internal development teams and external participants is crucial for program success. Staying updated on evolving security threats and continually refining program policies are ongoing responsibilities that require adaptability and collaboration.
How much do bug bounties get paid?
Bug bounty programs pay security researchers based on the severity and impact of the vulnerabilities they discover, with rewards ranging from $100 to over $100,000 for critical issues. Payments vary depending on the program, the organization, and the complexity of the bug, and researchers often use platforms like HackerOne or Bugcrowd to participate.
Which bug bounty pays the most?
Bug bounty programs from large technology companies like Apple, Google, and Microsoft tend to offer the highest payouts, often reaching hundreds of thousands of dollars for critical vulnerabilities. Successful bug bounty hunters typically have strong technical skills, knowledge of security testing tools, and experience in identifying high-impact security flaws.
What are the key skills and qualifications needed to thrive as a Bug Bounty Program participant, and why are they important?
To excel in a Bug Bounty Program, you need strong knowledge of cybersecurity fundamentals, vulnerability assessment, and web or software exploitation techniques, often backed by practical experience or certifications like OSCP or CEH. Familiarity with tools such as Burp Suite, Nmap, and Metasploit, as well as bug bounty platforms like HackerOne or Bugcrowd, is typically required. Critical thinking, persistence, and clear written communication are crucial soft skills for effectively identifying vulnerabilities and reporting them to organizations. These skills ensure you can discover security flaws efficiently, responsibly disclose them, and build a positive reputation in the cybersecurity community.
What is a Bug Bounty Program?
A Bug Bounty Program is an initiative offered by organizations that invites ethical hackers and security researchers to identify and report vulnerabilities in the company’s software, websites, or systems. Participants are typically rewarded with monetary compensation, recognition, or other incentives based on the severity of the bugs they find. These programs help organizations strengthen their security by leveraging the broader cybersecurity community, thus identifying issues before malicious hackers can exploit them. Bug bounty programs are widely used by tech companies to enhance security and build trust with users.
Will Facebook pay $500 if you find a bug in their code?
As a bug bounty program participant, Facebook's bug bounty rewards vary depending on the severity and impact of the vulnerability found. While some reports have received payments of $500 or more, the amount is not guaranteed and depends on the quality and significance of the bug. Participants should review Facebook's bug bounty guidelines for specific payout details and submission criteria.
What is the difference between Bug Bounty Program vs Penetration Tester?
| Aspect | Bug Bounty Program | Penetration Tester |
|---|---|---|
| Credentials | Knowledge of security vulnerabilities, bug reporting skills | Certifications like OSCP, CEH, CISSP often preferred |
| Work Environment | Remote, project-based, crowdsourced | Consulting firms, in-house teams, on-site or remote |
| Industry Usage | Tech companies, startups, open security initiatives | Security firms, corporate security teams, government agencies |
| Search/Comparison Intent | Understanding crowdsourced bug finding vs professional testing | Comparing freelance or company-based security assessments |
The main difference is that Bug Bounty Programs are crowdsourced initiatives where individuals report vulnerabilities remotely, often without formal certifications. Penetration Testers are professionals with certifications who perform targeted security assessments, usually in a consulting or in-house setting. Both roles focus on identifying security flaws but differ in structure, credentials, and work environment.
More about Bug Bounty Program jobs
What cities are hiring for Bug Bounty Program jobs? Cities with the most Bug Bounty Program job openings:
What are the most commonly searched types of Bug Bounty Program jobs? The most popular types of Bug Bounty Program jobs are:
What states have the most Bug Bounty Program jobs? States with the most job openings for Bug Bounty Program jobs include:
What job categories do people searching Bug Bounty Program jobs look for? The top searched job categories for Bug Bounty Program jobs are:
Job description
Job Summary:
Merge is the leading provider of agentic tools and customer-facing integrations for frontier LLMs, Fortune 500 organizations, and B2B SaaS companies. As a Security Engineer at Merge, you will be the primary owner of product and application security across the platform, working closely with Engineering and Product to identify and fix vulnerabilities while ensuring strong security guarantees for API-first, AI-powered products.
Responsibilities:
• Own product and application security across Merge's platform: APIs, integrations, agent tooling, and AI-powered features
• Conduct security reviews, threat modeling, and code reviews with a focus on application-layer vulnerabilities (OWASP Top 10, injection, auth flaws, insecure deserialization, etc.)
• Drive vulnerability identification and remediation across the full SDLC, from design through deployment
• Build and mature our application security program, including SAST/DAST tooling, security testing in CI/CD, and developer security guidance
• Utilize AI to test the resiliency of our applications and systems
• Own and operate our bug bounty program end to end: triage, response, remediation, and researcher communication
• Partner with Engineering to embed secure design patterns and security review into how we ship software
• Support infrastructure and cloud security as needed, with a focus on how it intersects with our product surface
Qualifications:
Required:
• 3–6+ years of security engineering experience with a strong focus on product or application security
• Deep familiarity with application security concepts: OWASP, common vulnerability classes, secure API design, auth and authorization patterns
• Experience conducting threat modeling and secure code reviews
• Hands-on experience with application security tooling (SAST, DAST, SCA) and integrating security into CI/CD pipelines
• Experience with and a desire to code in at least one major programming language. You should be comfortable reading and writing code, not just running scanners
• Experience in a SaaS or API-driven environment; familiarity with multi-tenant systems and the security challenges they present
• Interest in learning and supporting other areas of Security where needed
Preferred:
• Experience with AI/LLM security, agent security, or securing data-heavy API platforms
Company:
Merge is one API to add hundreds of integrations to your product Founded in 2020, the company is headquartered in San Francisco, USA, with a team of 51-200 employees. The company is currently Growth Stage.
Merge is the leading provider of agentic tools and customer-facing integrations for frontier LLMs, Fortune 500 organizations, and B2B SaaS companies. As a Security Engineer at Merge, you will be the primary owner of product and application security across the platform, working closely with Engineering and Product to identify and fix vulnerabilities while ensuring strong security guarantees for API-first, AI-powered products.
Responsibilities:
• Own product and application security across Merge's platform: APIs, integrations, agent tooling, and AI-powered features
• Conduct security reviews, threat modeling, and code reviews with a focus on application-layer vulnerabilities (OWASP Top 10, injection, auth flaws, insecure deserialization, etc.)
• Drive vulnerability identification and remediation across the full SDLC, from design through deployment
• Build and mature our application security program, including SAST/DAST tooling, security testing in CI/CD, and developer security guidance
• Utilize AI to test the resiliency of our applications and systems
• Own and operate our bug bounty program end to end: triage, response, remediation, and researcher communication
• Partner with Engineering to embed secure design patterns and security review into how we ship software
• Support infrastructure and cloud security as needed, with a focus on how it intersects with our product surface
Qualifications:
Required:
• 3–6+ years of security engineering experience with a strong focus on product or application security
• Deep familiarity with application security concepts: OWASP, common vulnerability classes, secure API design, auth and authorization patterns
• Experience conducting threat modeling and secure code reviews
• Hands-on experience with application security tooling (SAST, DAST, SCA) and integrating security into CI/CD pipelines
• Experience with and a desire to code in at least one major programming language. You should be comfortable reading and writing code, not just running scanners
• Experience in a SaaS or API-driven environment; familiarity with multi-tenant systems and the security challenges they present
• Interest in learning and supporting other areas of Security where needed
Preferred:
• Experience with AI/LLM security, agent security, or securing data-heavy API platforms
Company:
Merge is one API to add hundreds of integrations to your product Founded in 2020, the company is headquartered in San Francisco, USA, with a team of 51-200 employees. The company is currently Growth Stage.