How is the Bug Bounty program implemented, who decides on payouts and who reviews the bug report?

Can you give an example of a successful bug report in the past?