Open-source software components (OSCs) are used in commercial software development across a slew of industry sectors from communications to finance. Because anyone can create open-source projects, there are no baseline security standards or requirements across the ecosystem. The owners or maintainers of the project may not have the resources or expertise to offer any security guarantees. The onus of evaluating the security of OSCs then falls on the users, i.e. software developers and associated institutions. Yet, a company may use hundreds to thousands of OSCs within their application. A security analysis of all OSCs may not be practical. In this talk, we discuss a targeted open-source bug bounty initiative that offers OSC users a proactive approach towards investigating the security of relevant components by crowdsourcing the discovery of security vulnerabilities to external security researchers. All without breaking the bank . We illustrate the process with a case study of bug bounty for JavaScript OSCs used at Comcast. Overall, we conclude that these bounty programs are a cost-effective and low effort solution to the hidden security risk of OSCs.