Should I award researchers for out-of-scope reports?
Security researchers do work at their own risk and often invest many hours into projects that don’t pay them. We strongly encourage companies with bug bounty programs to award researchers for any effort that seems valuable. It builds rapport with the researcher, which goes a long way in ensuring their continued attention. Arbitrary awards like this can be as little as $25, but we’ve awarded up to $500 when a researcher has done a lot of work, despite the findings being out-of-scope.