The bounty trap: how open source reward systems exploit the people they claim to serve

Open source bounty systems — from Web3 audit contests to traditional bug bounties — share a single structural flaw that corrupts nearly every platform in the ecosystem: the entity deciding whether to pay is the same entity that benefits from not paying. This conflict of interest, combined with AI-generated spam, platform collapses, and extreme earnings inequality, has created a system where skilled developers and security researchers routinely perform high-value work for free. The evidence spans every major platform and reveals not isolated bad actors but a systemic pattern of value extraction dressed up as opportunity. The judge is the defendant: why every platform has the same problem The core failure is architectural. In virtually every bounty system — HackerOne, Bugcrowd, Immunefi, Code4rena, Algora — the bounty poster unilaterally decides whether to pay . There is no binding contract, no neutral arbiter, and no meaningful legal recourse for the researcher. Bug bounty terms are wri