Here is a 1-paragraph summary of the text, covering key points in an objective and neutral tone: Bug bounty programs have reached an all-time high, but misconceptions about their nature and benefits persist. One common myth is that all bug bounties are public, inviting anyone to test applications. In reality, most bug bounty programs are private, invite-only, offering organizations a controlled environment to utilize the power of crowdsourced testing. Private programs provide a curated crowd, access to harder-to-test applications, and focused testing on specific attack surfaces. Researchers can sign up to participate in public programs and gain access to private ones through vetting and measurement criteria, such as activity, quality, impact, and trustworthiness. Companies like Western Union, Okta, and Fitbit have successfully run both public and private bug bounty programs, highlighting the flexibility of this approach. By understanding the differences between public and private bug bounties, organizations can make informed decisions about their security strategy.