Quick answer: Pay-per-report bounty programs invite spam. A pay-per-fixed model with severity tiers rewards the right behavior - reports that actually lead to fixes.
If your bounty pays for reports, you'll get reports. If it pays for fixes, you'll get useful reports.
Pay on fix, not on report
Bounty is awarded when the report results in a shipped fix. Reporters know quality matters; spam isn't paid.
Tier by severity
Sev-1 fix: $100. Sev-2: $25. Sev-3: thank-you. Tiers reward impact; spam targets the highest tiers and is filtered.
Cap per-month payouts
Single reporter max $500/month. A skilled reporter is worth more, but the cap prevents the bounty becoming someone's full-time job.
Publish the rubric
Reporters know upfront what counts. The transparency is fair; disputes drop.
“Bounty programs reward what they're designed to. Design deliberately.”
Audit the program quarterly. The first month catches the design bugs; ongoing tuning catches the gaming.