With cybercrime and major hacking incidents reaching epidemic proportions, the importance of locating application-layer vulnerabilities is rising. Developers and companies are constantly striving to scan their code and improve code integrity in the early development stages, but no application is completely vulnerability-free and external scrutiny is always a bonus. This is where bug bounty programs come into play. Also known as Vulnerability Reward Programs (VRPs), these hacking events often produce alarming revelations that eventually end up preventing widespread damage to customers and companies alike. Security researchers, ethical hackers and enthusiasts from all over the world participate in these events for the benefit of all sides involved. Checkmarx has brought together this bug bounty program list as a service to the ever-growing InfoSec community. Bug Bounty Program regulars from all over the world can use this comprehensive guide to plan their 2015 schedule and choose to divert their attention to the programs most relevant to their areas of expertise.
1. Battlehack 2015
Languages: C++, JavaScript (as Node.js) Bounty: $100,000 USD (1st Prize), Xbox One (2nd Prize), Adafruit ARDX (3rd Prize) The year's most enticing bug bounty competition is actually going to be a road-trip all around the world, with events to be held in 10 major metros on different dates. This mega-event is being sponsored by IT giants, such as PayPal, Twitter, Braintree and more. The first prize is going to be a whopping $100,000 USD and the "Ultimate Hacker" title. These Battlehack events, primarily sponsored by e-commerce giant Paypal, initially produce local winners in the different cities. The winning teams from the various cities, who receive axes instead of trophies, then gain eligibility to participate in the world finals where they can aim for the first prize, which is worth no less than $100,000 USD. PayPal puts extra emphasis on giving the developers center-stage and offers them a series of perks while participating in the contest. These include catering services, beer breaks and even stations for quick power-naps. More importantly, the Battlehack participants retain full ownership of all the software they develop.
2. Facebook WhiteHat Program
Languages: C++, PHP, D, Java, Python (Server-side); JavaScript (Client-side) Bounty: $500 USD (Minimum), No Pre-Determined Maximum The world's largest social media platform has a welcoming approach to researchers and ethical hackers. With private information and personal media files of millions of people at stake, it's befitting to provide the users the option to report newly discovered security findings. Facebook has a dedicated bug bounty team dealing with user's findings. All the researcher has to do is report the bug and wait for the websites bounty team to respond to the finding. While the minimum reward is $500 USD, there is no pre-determined maximum sum. The rewards are determined as per the severity of the detected vulnerability. The Facebook Bug Bounty page showcases the findings.
3. Google Vulnerability Reward Program (VRP)
Languages: C/C++, Java, Python, Go (Server-side); JavaScript, Flash (Client-side) Bounty: $100 USD (Minimum), $20,000 (Maximum) Google is arguably the most dominant force on the web today. From its ever-evolving search engine to its various media channels, it reaches virtually every home and mobile device. This extreme reach also comes with its fair share of security vulnerabilities and risks. Google introduced its reward program to combat these very perils. As shown in the screenshot below, Google gives extra importance to the widely exploited vulnerabilities such as SQLi, XSS, CSRF and Remote Code Execution. The researchers, successful in finding loopholes as per the requirements of the security team, get full recognition and are indicted into the company's Hall of Fame. The participants in Google's bug-hunting program should ideally create an account on bughunter.withgoogle.com, a dedicated dashboard to assist with better raking of the detected flaws. Researchers without a profile on bughunter.withgoogle.com cannot be featured on the 0x0A and honorable mentions list (Hall of Fame) of the program.
4. Yahoo Bug Bounty Program
Languages: JavaScript, PHP (Server-side); JavaScript (Client-side) Bounty: $100 USD (Minimum), $20,000 (Maximum) Just like with Facebook, Yahoo has its own security team that accepts vulnerability reports from security researchers and ethical hackers. The findings need to be related to the Yahoo and Flickr applications to be eligible for the bounty. The minimum reward on offer is $50, while the maximum ceiling currently stands at $15,000 USD. Yahoo's security team responds to all legitimate security reports within 30 working days. The only vulnerabilities admitted into the program include SQLi, XSS, CSRF, Directory Traversal, Remote Code Execution, Information Disclosure and Content Spoofing. To further understand the scope exclusions – click here.
5. Mozilla Bug Bounty
Languages: C++, JavaScript, C, CSS, XUL, XBL Bounty: $500 USD (Minimum), $3,000 (Maximum). Mozilla, owner of the popular Firefox web browser amongst other web applications, has also adopted the policy of rewarding vulnerability discoveries by ethical hackers and security researchers. The Mozilla bug bounty basically recognizes and hands out bounty payments for previously unreported remote exploit POCs. The bounty is offered only for bugs in Mozilla services, such as Firefox, Thunderbird and other related applications and services. Third-party plugins and extensions are excluded from this bounty program. Filing a bug is a user-friendly process that gives the reporters a bug number for future use. The Mozilla team then responds to the filed report.
6. WordPress Security Bug Bounty Program
Languages: PHP, MySQL Bounty: $100 USD (Minimum), $1,000 (Maximum) Wordpress has evolved into the world's leading Content Management System (CMS) in recent years thanks to its user-friendly functions and flexible customization capabilities. But the use of third-party plugins also makes it a risky platform, especially when many websites fail to even apply the latest updates from Wordpress itself. White Fir Design's WordPress security bug bounty program offers rewards for detecting vulnerabilities in the WordPress platform. Bounties vary from $1000 USD for severe flaws to $100 USD for minor issues. There is also prize money for the detection of WordPress Plugin loopholes, with the bounties ranging from $125 USD to $250 USD.
7. The Chromium Project
Languages: C++ Bounty: $500 USD (Minimum), $15,000 (Maximum) The Chrome Reward Program was inaugurated in January 2010. This project offers a bounty according to the severity of the vulnerability and also public recognition for the efforts of the WhiteHat hackers. The findings have to be related to Chrome or the Chrome OS, as long as the bugs are found in the Stable, Beta and Dev channels. As evident in the screenshot above, the monetary awards for recognized flaws range from $500 USD to $15,000 USD. While the program encourages the research and analysis of Windows 8 and above, Windows XP and Vista findings might also be rewarded with reduced award amounts as per the severity of the issue.
8. Samsung Smart TV Security Bounty Program
Languages: Tizen, Android Bounty: $500 USD (Minimum), $3000 USD (Maximum) Samsung is one of the world's leading TV manufacturers with Internet of Things (IoT) functionality. These Smart TV features need constant connection to the internet and are not yet completely safe, something that malicious hackers can exploit. The Korean company's proprietary Blu-Ray software is also in the bug bounty program. Besides the money payouts, Samsung also has a dedicated Hall of Fame for the individuals who have qualified and reported about security bugs in the company's various applications. This helps in nourishing the ethical hacking community and creating a new culture of bug hunting. The bug report process is a user-friendly process.
9. Avast Bug Bounty Program
Language: C++ Bounty: $400 USD (Minimum) - $10,000 or More (Maximum) Avast is a widely recognized anti-virus company providing security solutions for Windows, Mac, Android and Linux users. But even their application is not vulnerability-free. Avast has a designed a protocol to reward ethical hackers and security researchers. All bugs, preferably in encrypted mail form, can be submitted to [email protected]. Remote code execution vulnerabilities have been defined by Avast as the most critical bugs and can amount of a bounty of $10,000 USD or above. Avast is also urging researchers to expose ways to crash the AvastSvc.exe via Denial-of-service (DoS) attacks. Submissions from Iran, Syria, Cuba, North Korea and Sudan are not accepted.
10. Microsoft – Online Services Bug Bounty Program
Languages: ASP.NET Bounty: $500 USD (Minimum), Maximum Not Pre-Determined Microsoft's latest bug bounty program was officially inaugurated on 23rd September, 2014 and deals exclusively with Online Services. Eligible domains up for security in the current program include - portal.office.com, outlook.com, lync.com, graph.windows.net and other. Participants are advised to read the guidelines before starting their research. The vulnerabilities reported should also be of the types specified in the submission guidelines. These include XSS, CSRF, Privilege Escalation Injection and Authentication Vulnerabilities. Microsoft has paid over $300,000 USD worth of bounties so far. It also gives ethical hackers the option to donate the bounty to approved charity organizations.
11. GitHub Security Bug Bounty
Languages: Ruby Bounty: $100 USD (Minimum), $5,000 USD (Maximum) GitHub is the world's largest web-based code hosting service, used by developers all over the world, mostly for their open-source projects. It currently has around 3.4 million users with over 16 million repositories. Needless to mention, this platform requires bolstered security, which is why GitHub has its security bug bounty program. This ever-growing bug-bounty community is nurtured by the creation of a unique point system. This involves a dynamic leaderboard that ranks the top participants of the program by awarding them points and badges for their achievements. There is also the bounty that is paid according to the severity of the vulnerability detected. There are also many top software companies offering only official recognition to security experts who find flaws in their applications. They offer Hall of Fame status and also responsible disclosure acknowledgements. Security researchers not primarily interested in the financial stimuli can opt for the following options:
- Apple – The Cupertino giant doesn’t have a bug bounty program, but does accept vulnerability reports. Apple also promptly credits the researchers with full responsible disclosure and press releases on its official website.
- AT&T – The American telecommunication company also has its bug hunting channel. Developers and InfoSec experts can research the various platforms, including its service-providing websites, exposed APIs and mobile applications.
- Adobe – Adobe also has a responsible disclosure program in place for newly detected vulnerabilities in its website, applications and services. The findings are also published publically and researchers acknowledged officially.
- eBay – Arguably the world largest e-commerce platform's bug reporting program invites researchers to send in PoC's and details of newly found vulnerabilities. Responsible disclosure acknowledgements are also on offer.
- Deutsche Telecom – This German telecommunication giant also has its own bug bounty program, where researchers are required to locate flaws is the web portals of Deutsche Telekom AG in Germany (the telekom.de domain).
It's safe to say that bug bounty programs are gaining steam. Google recently announced that it has shelled out over $4 million in prize money, while introducing its new bounty programs for Android and iOS applications. The highest bounty paid to a single person so far is $150,000 USD, with the researcher also accepting an internship in the company. Needless to say, this is not the complete solution as there is no substitute for secure coding and testing integrated into the Software Development Life Cycle (SDLC). But with more and more leading companies encouraging security research and promoting awareness amongst professionals and enthusiasts alike, the future is looking bright.
About the Author: Sharon Solomon (@checkmarx) is a Content Manager at Checkmarx, a leading provider of Source Code Analysis (SCA) solutions to identify security vulnerabilities in web and mobile applications. It provides an easy and effective way for organizations to introduce security into their Software Development Lifecycle (SDLC) which systematically eliminates software risks and coding flaws. Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
