This is kind of what bug bounties are! See also https://www.synack.com/red-team/. The limitation with crowdsourcing and bug bounties is that you can generally only use them to find publicly accessible technical problems with your products, and the hackers aren’t allowed to do things like social engineering. I haven’t heard of a consultancy that has this same policy with their pentests, but generally it’d have to be the company contracting them to come up with the compensation policy, as which assets are important and what further “compromise” entails varies between organizations.
This is kind of what bug bounties are! See also https://www.synack.com/red-team/. The limitation with crowdsourcing and bug bounties is that you can generally only use them to find publicly accessible technical problems with your products, and the hackers aren’t allowed to do things like social engineering. I haven’t heard of a consultancy that has this same policy with their pentests, but generally it’d have to be the company contracting them to come up with the compensation policy, as which assets are important and what further “compromise” entails varies between organizations.