A study was conducted on bug bounties, which are programs where security researchers are paid for finding and explaining vulnerabilities in company code bases. Bug bounty programs are a cost-effective way for companies to improve their security, according to advocates. The research supports the assertion using a large dataset and instrumental variables to eliminate potential sources of endogeneity. Security researchers are motivated by non-financial factors, as shown by their price elasticity of supply of 0.1 to 0.2 at the median. Companies can still benefit from bug bounties even if they can’t pay researchers much. A company’s revenue and brand profile do not affect the number of valid security vulnerabilities reports it receives.