A bug bounty critical pays a median of $20,000. The average onchain hack costs $25,000,000. That gap, better than 1,250 to one, is the whole argument for running a bug bounty program as a mission critical part of your security stack, and the rest of this post is me showing the math.

I run Immunefi, so I sit on five years of disclosure data most of this market never gets to see. I pulled it, ran it against the hack-loss record, and modeled what a program actually returns. The conclusion are clear, substantiated by hard data, and you do not have to trust any single figure to believe it.

Let’s start with the objection every team raises, because the data kills it cleanly.

“We’ve been audited. Our code is solid. A critical? That happens to other teams.” Across 593 programs running January 2021 through February 2026, here is what actually happens. Among programs live for five years or more, 94% have surfaced at least one confirmed, paid critical. The curve is monotonic, and it climbs toward certainty: 61% at one year, 74% at two, 87% at three, 93% at four, 94% at five.

These programs did not start their bounty bounty program because they smelled trouble. They understood that critical vulnerabilities are simply what happens when you expose complex, high-value code to sustained adversarial review.

One in five confirmed reports across all Immunefi programs is rated critical. A critical in your code is an appointment you have not seen on the calendar yet, and the only open question is whether a whitehat keeps it or an attacker does.

So the question worth asking is simple: when the critical surfaces, does a friendly researcher find it first, or does an attacker?

So what does that appointment costs to attend to?

A bug bounty is the security spend where results drive the payout. Find a bug, pay for the bug. A researcher does the labor, finds the flaw, hands you a catastrophe you had no idea was sitting in production, and only then does money move. Across every currently active program, annualized over six years, the typical program pays out about $63,300 a year in total bounties, roughly $54,500 of it for criticals, because criticals carry 86% of all payout value.

That number overstates the cost for most teams. The average is dragged up by a handful of very large programs, so the median program pays meaningfully less. Payments are also lumpy, and the lumpiness is the point: you might pay nothing for a year, then write one large check the week a researcher catches the bug that would have absolutely destroyed your project.

What your bug bounty program is really renting is a legion of adversaries to your side of the table. The same person who could have drained funds is paid, instead, to hand you the exploit and walk away clean and heroic. An audit does not give you that. Audits are a fixed cost against a frozen snapshot of code, and over 80% of Immunefi customers still receive a critical through their bounty after the audits are done. The audit checks the code once. A bug bounty checks it forever.

The criticals also recur, which is why bug bounty programs run for years, indefinitely. Among programs that have surfaced a critical, the average is 2.7 of them, and one program has logged 50 over its life. New code ships, opening new attack surfaces, and new vulnerabilities arrive with it. Roughly half of all active programs surface a fresh critical in any given year, and that rate has held steady through bull markets and bear markets alike.

Widen the lens to high severity and it stops being a coin flip. Around 70% of all programs surface at least one high or critical bug every single year. Seven in ten teams are almost hacked annually, and the only programs that have not are the ones too young to have drawn enough researcher attention yet. Given the trajectory, they inevitably will. The bugs are a property of the code, not a verdict on the team.

What does the hack cost when an attacker keeps the appointment instead?

The headline theft is the smallest line on the invoice. In 2024 to 2025 the average hack stole $24,500,000 outright. Then the real bill arrives: the median hacked token loses 61% of its value within six months, and 84% never reclaim their pre-hack price inside that window. Treasury, runway, hiring, leverage in every partnership conversation, all of it gets repriced overnight, and the market does not extend credit to the breached.

Add the part no spreadsheet captures: Hacked teams lose at least three months to incident response, remediation, and leadership churn. The security lead usually walks, the roadmap stalls, and recruiting gets harder, because a hack is an ugly signal and talent reads signals fast. I call the whole thing Amador’s Hack Impact Estimate: roughly $25,000,000 in direct theft, a 61% token decline, an 84% chance the price never recovers, and a quarter of a year set on fire.

Here is the implication most teams without a bounty refuse to sit with: Skipping your bug program does not buy you fewer vulnerabilities. It buys you the same vulnerability density, probably higher, since teams that skip bounties tend to run weaker security practices overall. The critical vulnerability is already in your code. With a bug bounty, a researcher who finds it has a clear, paid path to report it; without one, that same researcher has no reward and no obligation, so the bug waits in the dark for someone with darker intentions, or for the day it lands onchain as an exploit.

When it lands that way, the damage rarely stays contained. Composability has turned single failures into cascades. Elixir’s deUSD stablecoin collapsed after a $93 million loss at one counterparty propagated through collateral dependencies, wiped out more than 97% of the token’s value, and disrupted multiple lending markets on the way down. The bug that does that to you was findable. The only variable was whether anyone was paid to find it first.

Now put both sides together across years, the way you would judge any real investment.

Run a program for five years and you pay, on average, around $316,000 in total bounties. A single hack prevented is worth roughly 395 years of that program’s average annual payout. Steelman the cost as hard as you can: assume a serious program also runs you six figures a year in platform fees on top of payouts, well above what most carry, and one prevented critical still covers more than a decade of the whole arrangement. The math does not approach break-even unless you assume bounties almost never prevent anything, and the bug inevitability curve says the exact opposite.

The probability is not a hand-wave either. For every critical exploited onchain, around four comparable vulnerabilities were responsibly disclosed and fixed before anyone lost a dollar. Reasonable people can argue that ratio, and they should, since it is the load-bearing assumption in the model. But you can halve it, halve it again, and a $20,000 median payment standing in front of a $25,000,000 average loss still returns more than anything else in the budget.

Even the unusual, expensive criticals stay cheap on this scale. The mean critical payout is $114,355, pulled up by a small number of enormous findings, and a six-figure check is still two orders of magnitude below the average hack it heads off. There is no severity tier where the bug bounty loses this cost comparison.

The largest payouts in this market read like rounding errors against what they protected. In December 2021 a whitehat named Leon Spacewalker reported a missing balance check in Polygon that exposed all 9.27 billion MATIC in a single contract, and the bounty was $2.2 million. Weeks earlier, another researcher caught a double-spend on Polygon’s bridge for $2 million, the largest bounty in crypto at the time. Wormhole later paid $10 million through Immunefi for one of the most significant findings in DeFi history against near a billion dollars in hard cash impact alone.

Zoom out and the system-level ratio holds. Immunefi has paid $115 million for confirmed criticals alone, and $138 million across all bounties. The funds those disclosures protected exceed $25 billion in conservatively assessed, hard cash impact.

The return on one caught bug is the easy part. The compounding is what most people miss. Sustained coverage does not just catch bugs one at a time, it applies continuous pressure that closes off whole classes of attack. Bridges produced $1.9 billion in losses across nine exploits in 2022, with Ronin at $624 million and Wormhole at $326 million, and in 2025 bridge exploits were down to 3% of all losses, because the architectures that failed got replaced under years of scrutiny. Flash-loan attacks fell from 54% of all losses in 2020 to under 1% in 2025.

The aggregate trend is just as clear. DeFi protocol losses dropped 80% from a $2.62 billion peak in 2022 to $534 million in 2024. What remains is the hard tail: novel, protocol-specific logic bugs made up 89% of 2025 DeFi losses, which is the exact category your live bug bounty is built to surface. None of that progress happened without years of researchers being paid to find bugs first.

So here is the decision, stripped to the core: If you ship code that custodies user funds and skip continuous bounty coverage, here is what you own: an uninsured position against an enormous eight-figure downside, that is inevitably going to be realized eventually.

The median critical bounty costs $20,000. The hack it prevents costs $25,000,000 and three months of your life. You will get a critical either way. Run the bug bounty program, and find out from a whitehat.

A note on the numbers: vulnerability and payout figures come from Immunefi data covering 593 bug bounty programs, with audit competitions excluded; hack, token-decline, and industry-trend figures come from publicly reported incidents and DeFiLlama TVL through early 2026. Funds-at-risk is a nominal upper bound of historically assessed cases until 2023; the real losses prevented are considerably higher today. The four-to-one disclosed-to-exploited ratio is an estimate I will revise as better data surfaces. The final conclusion of this post survives all of it.