With cybercrime and major hacking incidents reaching epidemic proportions, the importance of locating application-layer vulnerabilities is rising. Developers and companies are constantly striving to scan their code and improve code integrity in the early development stages, but no application is completely vulnerability-free and external scrutiny is always a bonus. This is where bug bounty programs come into play. Also known as Vulnerability Reward Programs (VRPs), these hacking events often produce alarming revelations that eventually end up preventing widespread damage to customers and companies alike. Security researchers, ethical hackers and enthusiasts from all over the world participate in these events for the benefit of all sides involved. Checkmarx has brought together this bug bounty program list as a service to the ever-growing InfoSec community. Bug Bounty Program regulars from all over the world can use this comprehensive guide to plan their 2015 schedule and choose to divert their attention to the programs most relevant to their areas of expertise.
1. Battlehack 2015
2. Facebook WhiteHat Program
3. Google Vulnerability Reward Program (VRP)
4. Yahoo Bug Bounty Program
5. Mozilla Bug Bounty
6. WordPress Security Bug Bounty Program
Languages: PHP, MySQL Bounty: $100 USD (Minimum), $1,000 (Maximum) Wordpress has evolved into the world's leading Content Management System (CMS) in recent years thanks to its user-friendly functions and flexible customization capabilities. But the use of third-party plugins also makes it a risky platform, especially when many websites fail to even apply the latest updates from Wordpress itself. White Fir Design's WordPress security bug bounty program offers rewards for detecting vulnerabilities in the WordPress platform. Bounties vary from $1000 USD for severe flaws to $100 USD for minor issues. There is also prize money for the detection of WordPress Plugin loopholes, with the bounties ranging from $125 USD to $250 USD.
7. The Chromium Project
Languages: C++ Bounty: $500 USD (Minimum), $15,000 (Maximum) The Chrome Reward Program was inaugurated in January 2010. This project offers a bounty according to the severity of the vulnerability and also public recognition for the efforts of the WhiteHat hackers. The findings have to be related to Chrome or the Chrome OS, as long as the bugs are found in the Stable, Beta and Dev channels. As evident in the screenshot above, the monetary awards for recognized flaws range from $500 USD to $15,000 USD. While the program encourages the research and analysis of Windows 8 and above, Windows XP and Vista findings might also be rewarded with reduced award amounts as per the severity of the issue.
8. Samsung Smart TV Security Bounty Program
Languages: Tizen, Android Bounty: $500 USD (Minimum), $3000 USD (Maximum) Samsung is one of the world's leading TV manufacturers with Internet of Things (IoT) functionality. These Smart TV features need constant connection to the internet and are not yet completely safe, something that malicious hackers can exploit. The Korean company's proprietary Blu-Ray software is also in the bug bounty program. Besides the money payouts, Samsung also has a dedicated Hall of Fame for the individuals who have qualified and reported about security bugs in the company's various applications. This helps in nourishing the ethical hacking community and creating a new culture of bug hunting. The bug report process is a user-friendly process.
9. Avast Bug Bounty Program
Language: C++ Bounty: $400 USD (Minimum) - $10,000 or More (Maximum) Avast is a widely recognized anti-virus company providing security solutions for Windows, Mac, Android and Linux users. But even their application is not vulnerability-free. Avast has a designed a protocol to reward ethical hackers and security researchers. All bugs, preferably in encrypted mail form, can be submitted to [email protected]. Remote code execution vulnerabilities have been defined by Avast as the most critical bugs and can amount of a bounty of $10,000 USD or above. Avast is also urging researchers to expose ways to crash the AvastSvc.exe via Denial-of-service (DoS) attacks. Submissions from Iran, Syria, Cuba, North Korea and Sudan are not accepted.
10. Microsoft – Online Services Bug Bounty Program
Languages: ASP.NET Bounty: $500 USD (Minimum), Maximum Not Pre-Determined Microsoft's latest bug bounty program was officially inaugurated on 23rd September, 2014 and deals exclusively with Online Services. Eligible domains up for security in the current program include - portal.office.com, outlook.com, lync.com, graph.windows.net and other. Participants are advised to read the guidelines before starting their research. The vulnerabilities reported should also be of the types specified in the submission guidelines. These include XSS, CSRF, Privilege Escalation Injection and Authentication Vulnerabilities. Microsoft has paid over $300,000 USD worth of bounties so far. It also gives ethical hackers the option to donate the bounty to approved charity organizations.
11. GitHub Security Bug Bounty
Languages: Ruby Bounty: $100 USD (Minimum), $5,000 USD (Maximum) GitHub is the world's largest web-based code hosting service, used by developers all over the world, mostly for their open-source projects. It currently has around 3.4 million users with over 16 million repositories. Needless to mention, this platform requires bolstered security, which is why GitHub has its security bug bounty program. This ever-growing bug-bounty community is nurtured by the creation of a unique point system. This involves a dynamic leaderboard that ranks the top participants of the program by awarding them points and badges for their achievements. There is also the bounty that is paid according to the severity of the vulnerability detected. There are also many top software companies offering only official recognition to security experts who find flaws in their applications. They offer Hall of Fame status and also responsible disclosure acknowledgements. Security researchers not primarily interested in the financial stimuli can opt for the following options:
- Apple – The Cupertino giant doesn’t have a bug bounty program, but does accept vulnerability reports. Apple also promptly credits the researchers with full responsible disclosure and press releases on its official website.
- AT&T – The American telecommunication company also has its bug hunting channel. Developers and InfoSec experts can research the various platforms, including its service-providing websites, exposed APIs and mobile applications.
- Adobe – Adobe also has a responsible disclosure program in place for newly detected vulnerabilities in its website, applications and services. The findings are also published publically and researchers acknowledged officially.
- eBay – Arguably the world largest e-commerce platform's bug reporting program invites researchers to send in PoC's and details of newly found vulnerabilities. Responsible disclosure acknowledgements are also on offer.
- Deutsche Telecom – This German telecommunication giant also has its own bug bounty program, where researchers are required to locate flaws is the web portals of Deutsche Telekom AG in Germany (the telekom.de domain).
It's safe to say that bug bounty programs are gaining steam. Google recently announced that it has shelled out over $4 million in prize money, while introducing its new bounty programs for Android and iOS applications. The highest bounty paid to a single person so far is $150,000 USD, with the researcher also accepting an internship in the company. Needless to say, this is not the complete solution as there is no substitute for secure coding and testing integrated into the Software Development Life Cycle (SDLC). But with more and more leading companies encouraging security research and promoting awareness amongst professionals and enthusiasts alike, the future is looking bright.
About the Author: Sharon Solomon (@checkmarx) is a Content Manager at Checkmarx, a leading provider of Source Code Analysis (SCA) solutions to identify security vulnerabilities in web and mobile applications. It provides an easy and effective way for organizations to introduce security into their Software Development Lifecycle (SDLC) which systematically eliminates software risks and coding flaws. Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.