Top 5 Bug Bounty Programs
October 29, 2013
Microsoft recently offered its largest bounty yet, $100,000 for the discovery of a mitigation bypass technique. The act of paying for uncovered bugs is a growing trend among social media sites and software companies who hope to uncover and solve the security problems affecting their programs before a malicious hacker exploits them.
For years, bug bounty programs have not only been encouraging ethical hacking to find and fix potential holes but this system has also done a great deal in maintaining customer confidence for a number of high profile brands. While the amount paid to the ethical hackers responsible for uncovering the bugs may seem high it is significantly less in comparison to hiring full-time hackers. In addition, it promotes using hacking techniques in an ethical rather than malicious manner; without the incentive to earn a sizeable amount from uncovering a bug, hackers could be easily swayed into exploiting their discoveries on the black market for a higher return. Generally speaking though, bug bounties have become a good business for some hackers who have been rewarded thousands of dollars. For instance, Sergey Glazunov who is a very successful bug hunter has received bounties totaling more than $150,000 throughout his career.
As more and more organizations support bug bounty programs the more effective they will be at uncovering and fixing serious security problems; find out below which companies promote the best bounty programs to the hackers talented enough to uncover their mistakes. Also, learn which programs can give you the highest pay out in return for your bug hunting talents.
Top 5 Bug Bounty Programs
1. Google Chrome Bug Bounty Program
The Chrome bug bounty program is offered by Google to security researchers who would provide useful information about flaws in its Chrome browser. Google has already given out over two million dollars in its other bug bounties security reward programs. This time around the company has increased the amount of the reward from $1,000 to $5,000. However, only researchers who discover bugs that cause significant threat to users, provide an accurate analysis of the threats and show how an attacker can exploit them will benefit from the higher rewards. Google also offers bonuses for other types of bug disclosures that affect software other than Chrome.
2. Mitigation Bypass and BlueHat Bonus Bounty Programs
The Mitigation bypass bounty is offered by Microsoft to people who provide information about security bugs that can be used to bypass the defenses of Windows 8.1. Hackers can earn $100,000, a sizeable amount in comparison to the bounties offered by other companies including Google, Yahoo and Facebook.
BlueHat Bonus for Defense bug bounty is given to researchers with ideas of new defense techniques for preventing bugs in the future. However, the researcher is required to submit a qualifying Mitigation Bypass. The aim of this bounty is to protect millions of computer systems being used worldwide today.
Recently, Microsoft offered to pay $11,000 to researchers who could provide information to help fix the Internet Explorer 11 software bugs before it was released to users. However, the company paid out thousands of dollars more in the end since several hackers were able to provide useful information.
3. Apple Bug Bounty Program
The Apple bug bounty was recently launched with the goal to help guard its users from software bugs. This bounty program offers a reward ranging from $15,000 to $115,000 depending on the details of the bug as presented by the researcher. Apple also maintains a hall of fame, giving credit to bug bounty hunters for their hard work.
4. Mozilla Bug Bounty Program
The primary goal of the Mozilla bug bounty program is to make the Internet safer for Mozilla clients. The open-source software company behind the Firefox browser strongly encourages security researchers and ethical hackers to research in Mozilla. Once a researcher finds any breach in the system, they are rewarded with a free t-shirt and a bounty amount anywhere from $500 to $3000, depending on the vulnerabilities discovered.
5. PayPal Bug Bounty Program
Paypal’s bug bounty will only be paid to hackers who follow the company’s terms and conditions. A hacker who identifies the bug must keep it private and he is rewarded after the PayPal security team approves that his idea is genuine. Those rewarded receive between $750 and $10,000 depending on the details that they present.
The Bounties Don’t Stop Here!
The bug bounty programs listed above may be some of the most profitable but they are not the only companies that pay for uncovered vulnerabilities. Below are a few other programs that can still earn you a couple hundred bucks here and there for your services.
AT&T’s bug bounty program is open to developers and security researchers who responsibly disclose security vulnerabilities to their company. The company provides reward and/or public recognition for qualifying bugs, however, bugs which affect the confidentiality or integrity of a user’s data and privacy are more likely to receive a monetary bounty.
In order to qualify, you must submit your personal contact information and information pertaining to the vulnerability as outlined by AT&T. Once a quarter, AT&T will evaluate all submitted bugs that have been patched and identify the Top 10 to receive a bounty ranging from $100-$5,000. In addition, these contacts along with all other responsible reporters will be publically acknowledged by AT&T for their service.
Avast! Bug Bounty Program
The Avast! Bug Bounty program is designed for security-related bugs only and typically the following vulnerabilities will qualify for a bounty:
- Remote Code Execution
- Local Priivilege Escalation
- Avast! Code Bugs
- Scanner Bypasses
Avast! Bounties start at $200 but can up to $5,000 more than that depending on the criticality of the bug. Avast! does not support a Hall of Fame for researchers who have reported vulnerabilities.
Barracuda Bug Bounty Program
Barracuda’s Bug Bounty program supports security-related vulnerabilities found in the following Barracuda Network Products:
- Barracuda Spam & Virus Firewall
- Barracuda Web Filter
- Barracuda Message Archiver
- Barracuda SSLVPN
- Barracuda Web Application Firewall
- Barracuda Load Balancer
- Barracuda Firewall
- Barracuda NG Firewall
- CudaTel Communication Server
Qualifying bugs which were responsibility and respectfully identified to the Barracuda team will be recognized through their Hall of Fame. Additionally, qualifying bugs can earn a bounty starting at $100 up to $3,133.70, a number which pays homage to the security community’s reference to “eleet” or 31337.
Chromium Project Bug Bounty Program
Vulnerabilities found in the Chromium Open Source Project and in Google Chrome may be eligible for this lucrative bug bounty. Both monetary rewards and public recognition will be awarded for serious vulnerabilities that were responsibly disclosed to the Chromium Project.
Rewards begin at $500; however, $1,000 is typically given out for security bugs, meeting the project’s qualifications. The Chromium Rewards Panel offers a bounty based on the report provided and, to date, the panel has awarded several impressive bounties over $30,000.
Etsy Bug Bounty Program
Etsy rewards security researchers who identify web application vulnerabilities such as XSS, SQLi, CSRF, remote code execution, and authentication and authorization issues. Etsy bounties begin at $500 and can be raised at their discretion. In addition Etsy will send you one of their Security T-Shirts, recognize on their Thank You page and, according to their site, if they see you at a security conference they will be sure to “give you a high five and tell people how awesome you are.”
Facebook Bug Bounty Program
Facebook offers bug bounties to researchers who uncover vulnerabilities that risk the integrity of user data, access a system within Facebook’s infrastructure, or circumvents privacy protections. Facebook offers a minimum reward of $500 per bug, however, this will vary based on the severity and creativity of the uncovered bug and there is no maximum award for the program.
Prezi Bug Bounty Program
Prezi also offers a bug bounty starting at $500 for eligible web application security vulnerabilities found on the following domains and the services accessible through:
Prezi will also include with the monetary bounty a free PRO subscription for a year and your name will be recognized on their Security Hall of Fame.
Yahoo Bug Bounty Program
Yahoo’s Bug Bounty program is focused on uncovering and responsibly disclosing technical vulnerabilities on Yahoo owned applications. Domains within the scope of this program include:
- All Yahoo and Flickr branded mobile applications.
- All Yahoo and Flickr branded client side applications.
Through this program, Yahoo will reward qualifying bugs anywhere from $250-$15,000 based on their severity.
Be sure to leave a comment and let us know about some of the other bug bounty programs out there!