LAST MAY, UNITED AIRLINES, still struggling to integrate its computer system with Continental’s following the merger of the two companies, issued an open call to hackers. The challenge: to locate and report security holes on its website, with airline miles as an incentive for successful finds. Uncovering a scripting flaw could earn 50,000 miles, while a vulnerability that allowed denial-of-service attacks could score 250,000 miles. Within two months the Chicago-based carrier had shelled out 1.8 million miles for several bugs, including two so-called remote code execution flaws that could have let a hacker take over United’s system.

United’s experience reflects a sobering truth: No matter how many hours your digital team sweats it out in front of a computer, they’re never going to find and patch every vulnerability. And even if you pay an outside firm to do the job, it almost certainly won’t find everything either. But a boundless, global army of hackers who are paid only when they unearth security bugs? Now you’re talking.

Once the purview of tech giants like Facebook and Google, this model has gone mainstream. Today, hundreds of companies host so-called bug-bounty programs spanning apps, software, and company networks. Some companies have invitation-only programs. Many post program guidelines on their websites, including a schedule of payouts based on the seriousness of a flaw.

So how do you throw open your arms to ethical hackers without wasting your time or—far worse—exposing something critical that someone can exploit? A few pros share their insights. —KATE ROCKWOOD 

Start With Self-Scrutiny