Glossary
Bug Bounty
A standing offer to pay outside security researchers for responsibly reported vulnerabilities, scaled to the impact of the bug.
A bug bounty program publishes scope (which contracts, which classes of issue), reward tiers, and contact details for responsible disclosure. For crypto specifically, Immunefi has become the dominant marketplace, with payouts that have hit 10M+ USD for critical bugs.
Bug bounties complement audits: audits cover a fixed window of review, bounties stay open as long as the contract is in production. For protocols handling significant TVL, a serious bounty is considered table stakes alongside an audit.