Bug bounty platforms sell a simple dream: hackers earn money, companies get safer software, and everyone wins. But dig into public disclosure threads, Reddit rants, and private Discords and you’ll find a darker subplot. Some organizations game their own programs. Dodging payouts with “won’t fix” labels, razor-thin scopes, or last-minute severity downgrades while quietly pushing patches.

Below you’ll find three common tactics, three representative case studies, and a condensed playbook that helps new hunters stay paid (and sane) in a sometimes-rigged arena.

1. “Valid but Won’t Fix”

How It Works: Company admits the bug is real but claims the risk is acceptable, so no bounty.

Why It Hurts Hunters: Hours of research go unrewarded; no public credit.

2. Scope as a Shield

How It Works: Programs exclude high-risk assets or domains; any bug there is auto-rejected.

Why It Hurts Hunters: Real-world attack chains become “out of scope” fiction.