Want to make a cool $20,000?All you have to do is hack the Nintendo 3DS, a handheld console that\u2019s been out for a few years already. A listing on HackerOne spells everything out: Hackers will receive a cash payment for discovering a vulnerability in the system, which does let gamers make purchases and stores private information like your age and gender. There\u2019s a range for this, of course -- some discoveries will pay $100. Also, anyone who files a report must follow the exact template.It makes you wonder -- why would a major Japanese corporation offer a reward like this? Why is it even worth the expense, especially when you know they have internal security researchers?Many companies, including Apple, Uber, and Yelp, regularly offer bounties. One report said Apple would pay as much as $200,000 if you find an exploit in the new iPhone. The expense is obviously worth it or the bounty programs -- and sites like HackerOne -- wouldn\u2019t exist.[ ALSO ON CSO: 7 steps to start a bug bounty program ]\u201cThe main advantage is that you get researchers that think like a hacker and will try to find vulnerabilities like a hacker,\u201d says Alvaro Hoyos, the CSO at OneLogin, an identity and access management company. \u201cThis helps you identify issues that either your internal or external penetration testing teams might miss, not just because of that hacker frame of mind, but also because you have a greater quantity of researchers constantly testing your systems.\u201dChris Roberts, the chief security architect at Acalvio Technologies, an endpoint protection company, says the rise of hacking bounties is due to how the community has become more organized and helpful. Sites like Bugcrowd and BugSheet have made it easier for larger firms to post a bounty, accept research findings, and pay the researcher.He tells CSO that he has been paid about $3,000 to $5,000 to find a vulnerability, although in some cases the company only gives him a warm thanks. In some cases, a bounty for his team has run as high as $25,000 to find a bug a hacker could expose.Challenges in offering a bountyRoberts noted that companies are not always prepared to offer a bounty or set up the bounty program. One big challenge is finding the right bounty amount to match the vulnerability.\u201cThis can lead to some unpleasant exchanges with researchers,\u201d he says. \u201cYou will have to properly manage the input, the responses and the findings -- even though you are now hoping that your IT security budget is lower. You will have to staff up to work through the submitted results or risk the wrath of people getting fed up not getting a response.\u201dIn some cases, hackers will not want to be identified and may not want to work with a corporate legal team once a bug is discovered, he says. Not all researchers want to read through a complex reporting template that spells out every detail. And, if the program is not configured properly (say, having a test environment only for the researchers), real attacks might be hard to discern.[ RELATED: Risk vs reward: how to talk about bug bounty programs ]Hoyos says one potential challenge to a bounty is that it can call attention to the new service, gadget, or app. It could alert a criminal hacker that a company like Apple or Uber knows there could be a vulnerability, even if that\u2019s not necessarily true.\u201cIf your company lacks the resources to close out bugs being reported in a timely manner, you are, in theory, letting more and more third parties know an exploitable bug exists,\u201d says Hoyos. \u201cChances that none of those third parties will disclose that bug to a malicious actor or abuse it themselves goes up as more of them become aware. This of course is assuming the worst possible outcome and knowing what you don't know is still extremely valuable.\u201dPaul Innella, the CEO of TDI, a cybersecurity company, says some bounty programs go awry -- hackers discover an exploit, and instead of letting the company know and collecting the reward, the sell the discovery on the Dark Web. The bounty program created a new problem.What to expect from both sidesOffering a bounty -- or being the researcher who looks for the exploits -- is also challenging because in many ways the temptation is to offer a bounty instead of hiring security professionals, running your own penetration tests, and setting up a security infrastructure.\u201cIf you\u2019re using this methodology because you don\u2019t understand your corporate defenses, meaning you\u2019re not equipped to detect attacks and act upon them, then offering a bounty is not for you,\u201d says Innella. \u201cBounty programs should be used by companies with robust cyber defenses and considered a part of regimental cybersecurity testing, essentially in an outsourced capacity.\u201dJumping into ethical hacking to find exploits is not something to take lightly, according to Nathan Wenzler, a security architect at AsTech Consulting. One important point he made: While there is a rise in the number of hacking bounties, there\u2019s also a trend in offering lower amounts. Uber, for example, has paid a total of $819,085 since launching a bounty with a top range of $5,000 to $10,000, but the average is more like $750 to $1,000 per exploit.Still, Paul Calatayud, the CTO at FireMon, a firewall management company, says finding a zero-day exploit for a large enterprise can pay much higher -- into the seven-figure amount.That\u2019s a pretty good pay day.