After finishing reading the article on bug bounties it is very interesting to see something I
always assumed as true presented with evidence. While I hadn’t heard of HackerOne before, I
am aware of a lot of other bug bounty programs like Apple’s bug bounty programs. It makes
sense that in general only paying someone once the job is done (in this case finding the bug)
ensures that you are paying the amount of money you want to. It is very easy for a company to
place a dollar figure on how much finding a bug is worth to them in terms of the offset it would
cost if a particularly bad bug were to be found by a malicious threat actor and exploited to harm
the company.