1

Hourly Bug Bounty Program Jobs (NOW HIRING)

The development of the AWS researcher community is paramount to ensuring the success of our program ... Bug Bounty Program into the best on planet Earth. Key job responsibilities - Researching ...

Amazon's Bug Bounty team is looking for a Technical Program Manager (TPM) to help us secure the services and applications that Amazon customers rely on every day. In this role, you'll drive complex ...

Technical Program Manager, Bug Bounty

Seattle, WA · On-site

$146K - $190K/yr

Amazon's Bug Bounty team is looking for a Technical Program Manager (TPM) to help us secure the services and applications that Amazon customers rely on every day. In this role, you'll drive complex ...

The development of the AWS researcher community is paramount to ensuring the success of our program ... Bug Bounty Program into the best on planet Earth. Key job responsibilities - Researching ...

Technical Program Manager, Bug Bounty

Seattle, WA · On-site

$146K - $190K/yr

Amazon's Bug Bounty team is looking for a Technical Program Manager (TPM) to help us secure the services and applications that Amazon customers rely on every day. In this role, you'll drive complex ...

Product Security Engineer

Lehi, UT · On-site

$67.61 - $84.51/hr

You will work closely with internal engineering and security stakeholders to drive remediation and improve the bug bounty program's effectiveness. This is a contract engagement expected to backfill a ...

You will represent the organization to external security researchers via our Bug Bounty program, use a variety of tools to identify and manage application vulnerabilities, perform risk assessments ...

Bug Bounty Program Management: Own and expand Vercel's bug bounty program. You will triage and validate incoming vulnerability reports from the security researcher community, ensure critical issues ...

Senior Application Security Engineer

Broomfield, CO · On-site

$59.25 - $79/hr

You will represent the organization to external security researchers via our Bug Bounty program, use a variety of tools to identify and manage application vulnerabilities, perform risk assessments ...

Senior Application Security Engineer

Broomfield, CO · On-site

$59.25 - $79/hr

You will represent the organization to external security researchers via our Bug Bounty program, use a variety of tools to identify and manage application vulnerabilities, perform risk assessments ...

Contribute to our vulnerability management program, including triaging bug bounty and vulnerability disclosure reports and driving remediation efforts. * Security Automation : Develop and implement ...

next page

Showing results 1-20

Hourly Bug Bounty Program information

See salary details

$33.5K

$100.4K

$155.5K

How much do hourly bug bounty program jobs pay per year?

As of Jul 11, 2026, the average yearly pay for hourly bug bounty program in the United States is $100,365.00, according to ZipRecruiter salary data. Most workers in this role earn between $71,500.00 and $132,000.00 per year, depending on experience, location, and employer.

Which bug bounty pays the most?

In bug bounty programs, payouts vary widely depending on the severity and impact of the vulnerability, with some programs offering rewards of hundreds of thousands of dollars for critical findings. Platforms like HackerOne and Bugcrowd host high-paying programs, especially for critical security flaws in major companies. Successful bug bounty hunters often have strong technical skills, knowledge of web security, and experience with bug tracking tools.

What are some common challenges faced by participants in an hourly bug bounty program, and how can they overcome them?

Participants in an hourly bug bounty program often face challenges such as quickly identifying valid vulnerabilities, managing time efficiently, and competing with other security researchers for rewards. Staying organized and maintaining up-to-date knowledge of common vulnerabilities and testing techniques are essential. Collaborating with the program's security team for clarification and feedback can also help improve your effectiveness and increase your chances of success.

How much money can you make doing bug bounties?

The earnings from bug bounty programs vary widely; top security researchers can make thousands to hundreds of thousands of dollars annually by finding critical vulnerabilities. Income depends on the scope of programs, the severity of bugs found, and the researcher’s skills and experience. Consistent success often requires knowledge of security testing tools and programming languages.

What is an Hourly Bug Bounty Program?

An Hourly Bug Bounty Program is a cybersecurity initiative where organizations pay security researchers or ethical hackers by the hour to identify and report vulnerabilities in their systems. Unlike traditional bug bounty programs that reward based on the severity of discovered bugs, this model compensates participants for their time and effort, even if they do not find any vulnerabilities. This structure can attract a broader range of skilled testers and provide continuous security assessment. It also allows organizations to receive more comprehensive feedback on their security posture.

What companies pay bug bounties?

Many technology companies, including Google, Microsoft, Facebook, Apple, and Uber, run bug bounty programs that pay security researchers for discovering and responsibly reporting vulnerabilities. These programs are often hosted on platforms like HackerOne and Bugcrown, and they typically offer rewards based on the severity of the findings and the quality of reports.

How much does Amazon pay for bug bounty?

Amazon's bug bounty program offers rewards that can range from a few hundred to over $100,000 depending on the severity and impact of the vulnerability. Bug bounty hunters typically need skills in security testing, and payouts are based on the quality and significance of the reported issues.

What are the key skills and qualifications needed to thrive as an Hourly Bug Bounty Program participant, and why are they important?

To excel in an Hourly Bug Bounty Program, you need deep knowledge of cybersecurity principles, vulnerability assessment, and web application security, often demonstrated by experience or certifications like OSCP or CEH. Familiarity with tools such as Burp Suite, Metasploit, and various bug tracking or reporting platforms is typically required. Strong analytical thinking, attention to detail, and effective communication skills help you identify, document, and report vulnerabilities clearly. These competencies are crucial for protecting client systems, ensuring precise reporting, and maximizing your success and reputation within the bug bounty community.
More about Hourly Bug Bounty Program jobs
What cities are hiring for Hourly Bug Bounty Program jobs? Cities with the most Hourly Bug Bounty Program job openings:
What are the most commonly searched types of Bug Bounty Program jobs? The most popular types of Bug Bounty Program jobs are:
What states have the most Hourly Bug Bounty Program jobs? States with the most job openings for Hourly Bug Bounty Program jobs include:
What job categories do people searching Hourly Bug Bounty Program jobs look for? The top searched job categories for Hourly Bug Bounty Program jobs are:
Infographic showing various Hourly Bug Bounty Program job openings in the United States as of July 2026, with employment types broken down into 72% Locum Tenens, 20% Full Time, 2% Part Time, and 6% Summer. Highlights an 87% Physical, 1% Hybrid, and 12% Remote job distribution, with an average salary of $100,365 per year, or $48.3 per hour.
Product Security Engineer - Bug Bounty

Product Security Engineer - Bug Bounty

Ursus, Inc.

Lehi, UT • On-site

Full-time

Posted 5 days ago


Job description

Job Summary:
Ursus, Inc. is a staffing agency representing a global leader in creative software, offering innovative tools for digital media creation, design, and marketing. They are seeking a Product Security Engineer to support their Bug Bounty program on a 6-month contract engagement, where the engineer will be responsible for triaging vulnerability reports and coordinating with internal teams for remediation.
Responsibilities:
• Triage incoming vulnerability reports submitted via the bug bounty platform, assessing validity, impact, and scope.
• Assign CVSS scores and severity ratings accurately, following internal severity guidelines and industry standards.
• Reproduce proof-of-concept (PoC) exploits to validate reported vulnerabilities across web, API, and mobile surfaces.
• Communicate clearly and professionally with external researchers: request clarifications, provide status updates, and manage expectations.
• Coordinate with product engineering teams to route confirmed vulnerabilities for remediation.
• Identify duplicate, out-of-scope, or informational reports and close them with clear, respectful explanations.
• Contribute to internal documentation, triage runbooks, and severity calibration guidelines.
• Flag systemic or critical findings to Bug Bounty team for escalation as needed.
Qualifications:
Required:
• 3+ years of experience in application security, penetration testing, or a bug bounty/vulnerability disclosure role.
• Strong understanding of CVSS v3.1 scoring and hands-on experience applying it to real-world vulnerabilities.
• Proficiency in common web vulnerability classes: XSS, SQL injection, SSRF, IDOR, authentication flaws, and business logic issues.
• Ability to reproduce and validate PoC exploits using tools such as Burp Suite, browser DevTools, curl, and custom scripts.
• Familiarity with bug bounty platforms (e.g., HackerOne, Bugcrowd) and responsible disclosure processes.
• Solid written communication skills — able to write clear, constructive responses to researchers of all skill levels.
• Familiarity with attacker techniques used by external researchers against LLM systems and generative AI products.
• Knowledge of application security vulnerabilities (OWASP Top 10) and mitigation techniques.
Preferred:
• Experience with cloud environments (AWS, Azure, GCP) and API security testing.
• Hands-on experience in penetration testing of AI/ML and LLM-powered products, including chat interfaces, agentic workflows, and inference APIs.
• Prior participation in bug bounty programs as a researcher.
• Familiarity with OWASP Top 10, CWE taxonomy, and CVE assignment processes.
• Background working within a large enterprise or SaaS security organization.
Company:
Ursus, Inc., has been recognized by Staffing Industry Analysts (SIA) for four consecutive years as the fastest-growing technical and creative staffing firm in the United States. Founded in 2015, the company is headquartered in San Francisco, USA, with a team of 201-500 employees. The company is currently Growth Stage.

Ursus logo

About Ursus

Sourced by ZipRecruiter

Ursus is a recognized leader in providing technical and creative staffing solutions. Hyper - focused on you - ( the candidate, the client, the partner, the employee ) and how to make your engagement with us the best possible experience it can be while delivering results. Whether you are looking for your next career move, scaling a growing team, adding a trusted partner to your staffing program or completing a project, we’re here for U!

Industry

Recruiting and staffing services

Company size

11 - 50 Employees

Headquarters location

Morgan Hill, CA, US

Year founded

2015