10 Essential Bug Bounty Programs of 2017

In 2015, The State of Security published a list of 11 essential bug bounty frameworks. Numerous organizations and even some government entities have launched their own vulnerability reward programs (VRPs) since then. With that in mind, I think it's time for an updated list. Here are 10 essential bug bounty programs for 2017.

1. Apple

Website: Invite-only Minimum Payout: No predetermined amount Maximum Payout: $200,000 First launched in September 2016, Apple's bug bounty program originally welcomed just two dozen security researchers who had previously reported vulnerabilities in the tech giant's software. The framework has presumably expanded since then to include additional bug bounty hunters. But without a public website, it's difficult to ascertain any details about the program, including which participating ethical hackers have claimed bounties. (A report published by Motherboard casts doubt on whether any researchers have reported flaws to Apple since the launch of its program.) Ivan Krstic of Apple Security Engineering and Architecture group announced the bug bounty program at Black Hat USA 2016. According to him, his employer is willing to pay $25,000 for flaws that could allow an actor to gain access from a sandboxed process to user data outside of that sandbox. Meanwhile, it's ready to hand over $100,000 to those who can extract data protected by Apple's Secure Enclave technology. The highest bounty comes in at $200,000 for security issues affecting its firmware.

2. Facebook

Website: https://www.facebook.com/whitehat Minimum Payout: $500 Maximum Payout: No predetermined amount Those wishing to qualify for a reward in Facebook's bug bounty program can report a security issue in Facebook, Atlas, Instagram, WhatsApp, and a few other qualifying products and acquisitions. There are a few security issues that the social networking platform considers out-of-bounds, however. For instance, researchers who report on social engineering techniques, content injection, or denial-of-service (DoS) attacks won't be eligible for a bounty. Under its VRP, Facebook has agreed to pay a minimum of $500 for a responsibly disclosed vulnerability, though some low-severity flaws won't qualify a researcher for a bounty. Participating bounty hunters may decide to donate their bounties to a charity of a choice. If they elect to do so, Facebook will double the award.

3. GitHub

Website: https://bounty.github.com/ Minimum Payout: $200 Maximum Payout: $10,000 More than 100 security researchers have participated in GitHub's bug bounty program since its launch in June 2013. Each of them has earned points for their vulnerability submissions depending on a flaw's severity. Based on their work across all targets, those who've amassed the most total points have secured a position on the VRP's Leaderboard. Individuals looking to participate in GitHub's bug bounty framework should turn their attention to the developer platform's API, CSP, Enterprise, Gist and the main website. Upon sending over a bug report, researchers can expect to receive between $200 and $10,000 as a reward. But they'll receive that bounty only if they respect users' data and don't exploit any issue to produce an attack that could harm the integrity of GitHub's services or information.

4. Google

Website: https://www.google.com/about/appsecurity/reward-program/ Minimum Payout: $300 Maximum Payout: $31,337 Nearly all the content in the .google.com, .youtube.com and the .blogger domains are open for Google's vulnerability rewards program. The scope of the framework doesn't apply to weaknesses that could allow someone to conduct phishing attacks against Google employees, however. The program covers only design and implementation issues that affect the confidentiality and integrity of user data. These weaknesses include cross-site scripting vulnerabilities and authentication flaws. As of this writing, remote code execution vulnerabilities in applications that permit taking over a Google account, normal Google applications and other sensitive applications all net the highest bounty of $31,337. These flaws include sandbox escapes and command injection. By contrast, a remote-user impersonation bug in non-integrated acquisitions warrants only a $500 reward, with cross-site scripting attacks in low-priority applications qualifying for no more than $100.

5. Intel

Website: https://security-center.intel.com/BugBountyProgram.aspx Minimum Payout: $500 Maximum Payout: $30,000 Revealed at the CanSecWest Security Conference this March, Intel's bug bounty program targets the company's hardware (processors, chipsets, solid state drives, etc.), firmware (BIOS, Intel Management Engine, motherboards, etc.), and software (device drivers, applications, and tools). It does not include recent acquisitions, the company's web infrastructure, third-party products, or anything relating to McAfee, which at one point operated as Intel's security division. For a critical vulnerability discovered in the company's hardware, researchers can expect to receive a bounty of up to $30,000. On the other end of the spectrum, a low-severity vulnerability affecting Intel's software will net a bounty hunter up to $500. With that said, if anyone has a history of shunning coordinated disclosure or is a family member of an Intel employee, the technology company will most likely not admit them to its vulnerability rewards program.

6. Microsoft

Website: https://technet.microsoft.com/en-us/library/dn425036.aspx Minimum Payout: $500 Maximum Payout: No pre-determined amount Microsoft's VRP has been around at least as long as GitHub's program. Its active bounties change constantly. As of this writing, researchers can earn up to $15,000 for discovering vulnerabilities in applicable Microsoft cloud services. Those looking for a bigger payout can look to discover Mitigation bypass issues or critical remote code execution in Hyper-V, bugs which will net bounty hunters rewards of an amount up to $100,000 and $250,000, respectively. In July 2017, Microsoft launched a Windows bug bounty program that covers Windows Insider Preview, Microsoft Edge and other features of its signature operating system. Those who submit bug reports as part of this VRP extension can hope to collect between $500 and $250,000. They can learn more about the Windows bug bounty framework here.

7. Pentagon

Website: https://www.hackerone.com/resources/hack-the-pentagon Minimum Payout: $100 Maximum Payout: $15,000 First tested in a "pilot run" between April and May 2016, "Hack the Pentagon" is a bug bounty program designed to identify and resolve security vulnerabilities that affect public-facing websites operated by the United States Department of Defense (DoD). The agency's Digital Defense Service (DDS) created the framework in partnership with HackerOne. Since then, it's expanded the program to other departments, including "Hack the Army." The Hack the Pentagon pilot cost about $150,000 dollars to set up. In total, 1,410 researchers and bug bounty hunters participated in the challenge. They discovered 1,189 vulnerabilities, 138 of which Defense Media Activity (DMA) deemed were valid and unique. As a result, the DoD awarded approximately $75,000 to security researchers in the program's first year alone.

8. Tor Project

Website: https://hackerone.com/torproject Minimum Payout: $100 Maximum Payout: $4,000 Launched in July 2017, the Tor Project's bug bounty program covers two of its core anonymizing services: its network daemon and browser. Each of those targets comes with its own set of payment tiers and restrictions. For the Tor Network, security researchers can earn between $100 and $4,000 depending on the severity of the bug they discovery. They can also collect a bounty of up to $2,000 for reporting a flaw in one of the third-party libraries used by Tor. (OpenSSL is excluded, but libevent is in scope.) Meanwhile, bounty earners can receive a reward of more than $3,000 for reporting a full proxy bypass or similarly high-severity weakness in the Tor Browser.

9. Uber

Website: https://hackerone.com/uber Minimum Payout: No predetermined amount Maximum Payout: $10,000 The vulnerability rewards program for the ridesharing platform is primarily focused on protecting the data of users and its employees. As such, some of the in-scope vulnerability categories include issues through which an attacker could gain access to a user's or employee's data without authorization, forge authenticated requests on the behalf of a victim, and carry out phishing attacks against users. These security flaw classes apply to uber.com, partners.uber.com, eats.uber.com and other domains. But those vulnerability types don't include weaknesses like spear phishing that fail to exploit a technical issue. Uber calculates the security impact of each vulnerability disclosed to it by taking into account multiplying factors, such as scale of exposure and sensitive of user data exposed, and whether factors like user interaction or physical access limits the severity of the flaw. It then generally rewards a bounty of between $0 and $10,000. (The phishing bucket range allows for a maximum payout of $5,000 per vulnerability.)

10. WordPress

Website: https://hackerone.com/wordpress Minimum Payout: $150 Maximum Payout: No pre-determined amount WordPress is primarily interested in cross-site scripting (XSS) bugs, server side request forgery (SSRF) weaknesses and other vulnerabilities that undermine the security of its users. It's not interested in brute-force, DDoS, phishing, or other social engineering attacks. Additionally, its program doesn't consider plugins in scope, as most of those programs are developed by external organizations. Security researchers can still submit a bug report for a plugin vulnerability, however, as WordPress's admins will send the record to the affected plugin's developers. As with most other VRPs, WordPress requests that participating bug bounty hunters provide information on how to validate a vulnerability along with a Proof of Concept (PoC). It also asks that security researchers don't modify or delete any information on live sites and that they wait an appropriate amount of time before publishing details of any discovered vulnerability.   Think we missed an essential bug bounty program? Let us know in the comments!