I am sure you all know what bug bounty programs are, but for those who don’t – Bug bounties, also known as responsible disclosure programs, are setup by companies to encourage people to report potential issues discovered on their sites. Some companies chose to reward a researcher with money, swag, or an entry in their hall-of-fame. If you’re interested in web application security then they’re a great way of honing your skills, with the potential of earning some money and/or credibility at the same time. Bug bounty programs have been implemented by Facebook, Yahoo!, Google, Reddit, and Square.
Here are top 10 bug bounty programs that can pay well:
1. Facebook WhiteHat Program
Prize: $500 USD (Minimum), No Pre-Determined Maximum
The world’s largest social media platform has a welcoming approach to researchers and ethical hackers. All the researcher has to do is report the bug and wait for the websites bounty team to respond to the finding. While the minimum reward is $500 USD, there is no pre-determined maximum sum. The rewards are determined as per the severity of the detected vulnerability. The Facebook Bug Bounty page showcases the findings.
2. Google Vulnerability Reward Program (VRP)
Prize: $100 USD (Minimum), $20,000 (Maximum)
Google is arguably the most dominant force on the web today. From its ever-evolving search engine to its various media channels, it reaches virtually every home and mobile device. This extreme reach also comes with its fair share of security vulnerabilities and risks. Google introduced its reward program to combat these very perils.
The participants in Google’s bug-hunting program should ideally create an account on bughunter.withgoogle.com, a dedicated dashboard to assist with better raking of the detected flaws. Researchers without a profile on bughunter.withgoogle.com cannot be featured on the 0x0A and honorable mentions list (Hall of Fame) of the program.
3. Yahoo Bug Bounty Program
Prize: $100 USD (Minimum), $20,000 (Maximum)
Just like with Facebook, Yahoo has its own security team that accepts vulnerability reports from security researchers and ethical hackers. The findings need to be related to the Yahoo and Flickr applications to be eligible for the bounty. The minimum reward on offer is $50, while the maximum ceiling currently stands at $15,000 USD.
4. Mozilla Bug Bounty
Prize: $500 USD (Minimum), $3,000 (Maximum).
Mozilla, owner of the popular Firefox web browser amongst other web applications, has also adopted the policy of rewarding vulnerability discoveries by ethical hackers and security researchers. The Mozilla bug bounty basically recognizes and hands out bounty payments for previously unreported remote exploit POCs.
The bounty is offered only for bugs in Mozilla services, such as Firefox, Thunderbird and other related applications and services. Third-party plugins and extensions are excluded from this bounty program. Filing a bug is a user-friendly process that gives the reporters a bug number for future use. The Mozilla team then responds to the filed report.
5. WordPress Security Bug Bounty Program
Languages: PHP, MySQL
Prize: $100 USD (Minimum), $1,000 (Maximum)
WordPress has evolved into the world’s leading Content Management System (CMS) in recent years thanks to its user-friendly functions and flexible customization capabilities. But the use of third-party plugins also makes it a risky platform, especially when many websites fail to even apply the latest updates from WordPress itself.
White Fir Design’s WordPress security bug bounty program offers rewards for detecting vulnerabilities in the WordPress platform. Bounties vary from $1000 USD for severe flaws to $100 USD for minor issues. There is also prize money for the detection of WordPress Plugin loopholes, with the bounties ranging from $125 USD to $250 USD.
6. The Chromium Project
Prize: $500 USD (Minimum), $15,000 (Maximum)
The Chrome Reward Program was inaugurated in January 2010. This project offers a bounty according to the severity of the vulnerability and also public recognition for the efforts of the WhiteHat hackers. The findings have to be related to Chrome or the Chrome OS, as long as the bugs are found in the Stable, Beta and Dev channels.
7. Samsung Smart TV Security Bounty Program
Languages: Tizen, Android
Prize: $500 USD (Minimum), $3000 USD (Maximum)
Samsung is one of the world’s leading TV manufacturers with Internet of Things (IoT) functionality. These Smart TV features need constant connection to the internet and are not yet completely safe, something that malicious hackers can exploit. The Korean company’s proprietary Blu-Ray software is also in the bug bounty program.
Besides the money payouts, Samsung also has a dedicated Hall of Fame for the individuals who have qualified and reported about security bugs in the company’s various applications. This helps in nourishing the ethical hacking community and creating a new culture of bug hunting. The bug report process is a user-friendly process.
8. Avast Bug Bounty Program
Prize: $400 USD (Minimum) – $10,000 or More (Maximum)
Avast is a widely recognized anti-virus company providing security solutions for Windows, Mac, Android and Linux users. But even their application is not vulnerability-free. Avast has a designed a protocol to reward ethical hackers and security researchers. All bugs, preferably in encrypted mail form, can be submitted to firstname.lastname@example.org.
9. Microsoft – Online Services Bug Bounty Program
Bounty: $500 USD (Minimum), Maximum Not Pre-Determined
Microsoft’s latest bug bounty program was officially inaugurated on 23rd September, 2014 and deals exclusively with Online Services. Eligible domains up for security in the current program include – portal.office.com, outlook.com, lync.com, graph.windows.net and other. Participants are advised to read the guidelines before starting their research.
The vulnerabilities reported should also be of the types specified in the submission guidelines. These include XSS, CSRF, Privilege Escalation Injection and Authentication Vulnerabilities. Microsoft has paid over $300,000 USD worth of bounties so far. It also gives ethical hackers the option to donate the bounty to approved charity organizations.
10. GitHub Security Bug Bounty
Bounty: $100 USD (Minimum), $5,000 USD (Maximum)
GitHub is the world’s largest web-based code hosting service, used by developers all over the world, mostly for their open-source projects. It currently has around 3.4 million users with over 16 million repositories. Needless to mention, this platform requires bolstered security, which is why GitHub has its security bug bounty program.