# What is Bug Bounty?

A bug bounty program is an ongoing invitation for vetted security researchers to find and report vulnerabilities in your applications. Instead of a one-time test, bug bounty provides continuous security coverage -- researchers look for issues around the clock, and you only pay for valid, verified findings.

## How It Works

The concept is simple: you define what you want tested (the scope), set reward amounts for different severity levels, and Catchify's community of security researchers gets to work finding vulnerabilities. When a researcher finds something, they submit a report, the Catchify team reviews it, and if it is valid, the researcher is rewarded.

Here is the process from your perspective:

1. **You define the scope** -- Together with the Catchify team, you decide which applications, domains, and systems are open for testing
2. **Researchers test your applications** -- Vetted security researchers look for vulnerabilities in the areas you have defined
3. **Reports are triaged** -- The Catchify triage team reviews every submission before it reaches you, filtering out duplicates, false positives, and out-of-scope reports
4. **You review confirmed findings** -- Only validated reports are presented to you for review
5. **Researchers are rewarded** -- When you approve a finding, the researcher receives their reward through Catchify

<figure><img src="/files/PWCNjw0CWL2xWHblnXy2" alt="Bug bounty programs list showing available programs"><figcaption><p>The bug bounty workflow -- from researcher submission to verified finding</p></figcaption></figure>

## Why Bug Bounty?

Bug bounty programs complement penetration testing by providing ongoing security coverage. Here is why organizations choose bug bounty:

| Benefit                  | Description                                                                       |
| ------------------------ | --------------------------------------------------------------------------------- |
| **Continuous coverage**  | Unlike a one-time pentest, researchers are always looking for new vulnerabilities |
| **Diverse perspectives** | Multiple researchers with different skills and approaches test your systems       |
| **Pay for results**      | You only pay when a valid vulnerability is found -- no finding, no cost           |
| **Faster discovery**     | With many researchers working simultaneously, issues are found sooner             |
| **Managed for you**      | The Catchify team handles triage, researcher management, and payouts              |

{% hint style="info" %}
Many organizations run bug bounty programs alongside regular penetration testing. The two approaches complement each other -- pentesting provides structured, comprehensive coverage, while bug bounty catches issues through diverse, creative testing approaches.
{% endhint %}

## How Catchify Manages It for You

Running a bug bounty program can be complex, but Catchify handles the operational work so you do not have to:

* **Researcher vetting** -- Every researcher on the Catchify platform goes through an identity verification and screening process before they can participate in programs
* **Triage** -- Our experienced security team reviews every submission, verifying that reports are valid, unique, and within scope
* **Communication** -- The Catchify team manages day-to-day communication with researchers on your behalf
* **Payments** -- Researcher rewards are handled through the Catchify wallet system -- you fund your wallet, and the Catchify team distributes payments

## Is Bug Bounty Right for You?

Bug bounty is a great fit if:

* Your applications are customer-facing and constantly evolving
* You want continuous security testing beyond periodic penetration tests
* Your team wants to focus on fixing issues rather than managing a testing program
* You are looking for a cost-effective way to scale your security testing

If you are interested in starting a bug bounty program, talk to your account manager. The Catchify team will help you define the scope, set appropriate reward levels, and launch the program.

{% hint style="success" %}
Catchify's bug bounty programs are private by default -- only vetted, invited researchers can see and participate in your program. Your scope and vulnerabilities are never publicly visible.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.catchify.sa/catchify-platform-documentation/bug-bounty-program/what-is-bug-bounty.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.