A Bug Bounty Program utilizes a pay for results model, ensuring you only pay for valid results, versus paying for time and effort spent like with traditional testing methods. It’s also important to note that through these programs, companies authorize researchers to not only identify vulnerabilities but to also provide proof of concept. As importantly, any data that a researcher gleans from these POCs are held and protected under the terms and conditions that the researchers and company (and if using a third-party platform, that platform) have set forth. There are two types of program: private (invite-only) and public (open to the full Crowd).