Organizations operate bug bounty programs with the hope of crowdsourcing their security, but how exactly do they work? This talk covers possible steps from the moment a researcher submits a report through triage, reward, retesting and resolution based on internal lived experience with large, mature and sophisticated programs. Learn why companies implement these programs, how they can integrate/balance them with traditional penetration testing and the potential pitfalls along the way.