Skip to content ↓ | Skip to navigation ↓

In 2017, the State of Security published its most recent list of essential bug bounty frameworks. Numerous organizations and government entities have launched their own vulnerability reward programs (VRPs) since then. With that in mind, it’s time for an updated list.

Here are 14 essential bug bounty programs for 2019.

14. Apple

Website: Invite-only

Minimum Payout: No predetermined amount

Maximum Payout: $200,000

First launched in September 2016, Apple’s bug bounty program originally welcomed just two dozen security researchers who had previously reported vulnerabilities they had found in the tech giant’s software. The framework has presumably expanded since then to include additional bug bounty hunters. Without a public website, however, it’s difficult to ascertain any details about the program, including which ethical hackers have claimed bounties.

Ivan Krstic of Apple Security Engineering and Architecture group announced the bug bounty program at Black Hat USA 2016. According to him, his employer will pay $25,000 for flaws that could allow an actor to gain access from a sandboxed process to outside user data. Meanwhile, it will hand over $100,000 to those who can extract data protected by Apple’s Secure Enclave technology. The highest bounty comes in at $200,000 for security issues affecting its firmware.

As reported by Motherboard, security researchers are now sharing iOS vulnerabilities with Apple, and the tech giant is rewarding these individuals with bounties for their findings.

13. European Union

Website: https://juliareda.eu/2018/12/eu-fossa-bug-bounties/

Minimum Payout: Various

Maximum Payout: Various

European Parliament member Julia Reda announced that the European Commission would be launching 14 out of a total of 15 bug bounty programs in January 2019. Those bug bounties are for free and open-source software projects on which various institutions of the European Union rely. Anyone is welcome to participate by submitting bugs and vulnerabilities they find to the involved bug bounty platforms.

As of this writing, one of the bug bounty programs has already gone live. This particular vulnerability disclosure framework covers the KeePass password manager. Interested parties will have until the end of July to report flaws affecting the password manager through Intigriti/Deloitte. They can expect a reward of €500 for a low-level vulnerability and as much as €25,000 for what KeePass considers to be an “exceptional” flaw.

12. Facebook

Website: https://www.facebook.com/whitehat

Minimum Payout: $500

Maximum Payout: No predetermined amount

Those wishing to qualify for a reward in Facebook’s bug bounty program can report a security issue in Facebook, Atlas, Instagram, WhatsApp and a few other qualifying products and acquisitions. There are a few security issues which the social networking platform considers out-of-bounds, however. For instance, researchers who report on social engineering techniques, content injection or denial-of-service (DoS) attacks won’t be eligible for a bounty.

Under its VRP, Facebook has agreed to pay a minimum of $500 for a responsibly disclosed vulnerability, though some low-severity flaws won’t qualify a researcher for a bounty. Participating bounty hunters may decide to donate their bounties to a charity of a choice. If they elect to do so, Facebook will double the award.

11. GitHub

Website: https://bounty.github.com/

Minimum Payout: $555

Maximum Payout: $20,000

Hundreds of security researchers have participated in GitHub’s bug bounty program since its launch in June 2013. Each of them has earned points for their vulnerability submissions depending on a flaw’s severity. Based on their work across all targets, those who’ve amassed the most total points have secured a position on the VRP’s Leaderboard.

Individuals looking to participate in GitHub’s bug bounty framework should turn their attention to the developer platform’s API, CSP, Enterprise, Gist and the main website. Upon sending over a bug report, researchers can expect to receive between $555 and $20,000 as a reward. But they’ll receive that bounty only if they respect users’ data and don’t exploit any issue to produce an attack that could harm the integrity of GitHub’s services or information.

10. Google

Website: https://www.google.com/about/appsecurity/reward-program/

Minimum Payout: $100

Maximum Payout: $31,337

Nearly all the content in the .google.com, .youtube.com and the .blogger domains are open for Google’s vulnerability rewards program. The scope of the framework doesn’t apply to weaknesses that could allow someone to conduct phishing attacks against Google employees. The program covers only design and implementation issues that affect the confidentiality and integrity of user data. These weaknesses include XSS vulnerabilities and authentication flaws.

As of this writing, remote code execution vulnerabilities in applications that permit taking over a Google account, normal Google applications and other sensitive applications all net the highest bounty of $31,337. These flaws include sandbox escapes, command injection and deserialization weaknesses. By contrast, a CSRF flaw or clickjacking weakness in non-integrated acquisitions warrants only a $100 reward.

9. HP

Website: http://hp.com/go/printersthatprotect

Minimum Payout: No predetermined amount

Maximum Payout: $10,000

In September 2018, Hewlett-Packard (HP) launched a private bug bounty program through Bugcrowd. The multinational information technology company launched its vulnerability research framework to underscore “its commitment to deliver the world’s most secure printers.” As such, HP was the first entity to ever launch a bug bounty program for printing devices.

Under its program, HP will offer security researchers up to $10,000 for submitting a report on a vulnerability affecting one of its printers. It’s not entirely clear how severe these security weaknesses must be to warrant this level of payout. However, a case study published by Bugcrowd did reveal that the average priority level of flaws reported to HP so far was 2.34.

8. Intel

Website: https://security-center.intel.com/BugBountyProgram.aspx

Minimum Payout: $500

Maximum Payout: $100,000

Revealed at the CanSecWest Security Conference in March 2017, Intel’s bug bounty program targets the company’s hardware (processors, chipsets, solid state drives, etc.), firmware (BIOS, Intel Management Engine, motherboards, etc.) and software (device drivers, applications, and tools). It does not include recent acquisitions, the company’s web infrastructure, third-party products, or anything relating to McAfee, a former Intel subsidiary

For a critical vulnerability discovered in the company’s hardware, researchers can expect to receive a bounty of up to $100,000. On the other end of the spectrum, a low-severity vulnerability affecting Intel’s software will net a bounty hunter up to $500. With that said, if anyone has a history of shunning coordinated disclosure or is a family member of an Intel employee, the company will most likely not admit them to its program.

7. Microsoft

Website: https://technet.microsoft.com/en-us/library/dn425036.aspx

Minimum Payout: No predetermined amount

Maximum Payout: $250,000

The active bounties under Microsoft’s VRP change constantly. As of this writing, researchers can earn up to $15,000 for discovering vulnerabilities in applicable Microsoft cloud services. Those looking for a bigger payout can look to discover Mitigation bypass issues or critical remote code execution in Hyper-V, bugs which will net bounty hunters rewards of an amount up to $100,000 and $250,000, respectively.

In July 2017, Microsoft launched a Windows bug bounty program. Under that framework, those who submit reports for an eligible vulnerability affecting Windows Insider Preview can hope to collect between $500 and $15,000. A sister program for Windows Defender Application Guard (WDAG) upped the maximum payout to $30,000. Interested parties can learn more about all the programs that fall under the Windows bug bounty framework here.

6. Mozilla

Website: https://www.mozilla.org/en-US/security/bug-bounty/

Minimum Payout: $100

Maximum Payout: $10,000+

Mozilla launched one of the first modern bug bounty programs in 2004. Thirteen years later, the not-for-profit organization behind the popular Firefox web browser relaunched its program. Its VRP today welcomes security researchers who agree to not modify, delete or store user data in their testing of Mozilla’s software.

Currently, Mozilla runs two different bug bounty programs. The first is the organization’s Client Bug Bounty Program through which researchers may report a remote exploit, the cause of a privilege escalation or an information leak in publicly released versions of Firefox or Firefox for Android. Participating researchers can receive $500 for reporting a moderate vulnerability and potentially over $10,000 for finding a novel vulnerability and exploit, new form of exploitation or an exceptional vulnerability.

The not-for-profit organization also runs a Web and Services Bug Bounty Program. This particular framework welcomes security researchers to report on weaknesses from remote code execution bugs affecting critical websites, which come with a $5,000 award, to domain takeover gaps affecting domains outside *.mozilla.org, *.mozilla.com, *.mozilla.net, and *.firefox.com, which can net researchers $100.

5. Netflix

Website: https://bugcrowd.com/netflix

Minimum Payout: $200

Maximum Payout: $20,000

In March 2018, Netflix launched a public bounty program for the first time after working with the security community through programs like responsible disclosure and private bug bounty over the previous five years. This public framework considers www.netflix.com, api*.netflix.com and the Netflix mobile apps for iOS and Android, among other assets, to be in-scope. It does not cover third-party websites hosted by non-Netflix entities, Netflix device client applications, jobs.netflix.com, media.netflix.com or ir.netflix.com.

Operating within those parameters, security researchers who report an XSS, CSRF, SQLi or similar flaw affecting www.netflix.com or another one of the program’s “primary” targets may be able to collect a bounty as high as $20,000. Lower bounty amounts of $200 and up are available for lesser-priority weaknesses.

4. Pentagon

Website: https://www.hackerone.com/resources/hack-the-pentagon

Minimum Payout: $100

Maximum Payout: $15,000

First tested in a “pilot run” between April and May 2016, “Hack the Pentagon” is a bug bounty program designed to identify and resolve security vulnerabilities that affect public-facing websites operated by the United States Department of Defense (DoD). The agency’s Digital Defense Service (DDS) created the framework in partnership with HackerOne. Since then, it’s expanded the program to other departments, including “Hack the Army.”

In total, 1,410 researchers and bug bounty hunters registered to take part in the challenge. Of those, 250 ethical hackers discovered a total of 138 vulnerabilities which Defense Media Activity (DMA) deemed were valid and unique. As a result, the DoD awarded approximately $75,000 to security researchers in the program’s first year alone.

3. Tor Project

Website: https://hackerone.com/torproject

Minimum Payout: $100

Maximum Payout: $4,000

Launched in July 2017, the Tor Project’s bug bounty program covers two of its core anonymizing services: its network daemon and browser. Each of those targets comes with its own set of payment tiers and restrictions.

For the Tor Network, security researchers can earn between $100 and $4,000 depending on the severity of the bug they discovery. They can also collect a bounty of up to $2,000 for reporting a flaw in one of the third-party libraries used by Tor. (OpenSSL is excluded, but libevent is in scope.) Meanwhile, bounty earners can receive a reward of more than $3,000 for reporting a full proxy bypass or similarly high-severity weakness in the Tor Browser.

2. Uber

Website: https://hackerone.com/uber

Minimum Payout: $500

Maximum Payout: $10,000

The vulnerability rewards program for the ridesharing platform is primarily focused on protecting the data of users and its employees. As such, some of the in-scope vulnerability categories include issues through which an attacker could gain access to a user’s or employee’s data without authorization, forge authenticated requests on the behalf of a victim and carry out phishing attacks against users. These security flaw classes apply to uber.com, partners.uber.com, eats.uber.com and other domains. But those vulnerability types don’t include weaknesses like spear phishing that fail to exploit a technical issue.

Uber calculates the security impact of each vulnerability disclosed to it by taking into account multiplying factors, such as scale of exposure and sensitive of user data exposed as well as whether factors like user interaction or physical access limits the severity of the flaw. It then generally rewards a bounty of between $500 and $10,000. (The phishing bucket range allows for a maximum payout of $5,000 per vulnerability.)

1. WordPress

Website: https://hackerone.com/wordpress

Minimum Payout: $150

Maximum Payout: No predetermined amount

WordPress is primarily interested in cross-site scripting (XSS) bugs, server-side request forgery (SSRF) weaknesses and other vulnerabilities that undermine the security or privacy of its users. It’s not interested in brute-force, DDoS, phishing or other social engineering attacks. Additionally, the program doesn’t consider plugins in scope, as most of those programs are developed by external organizations. Researchers can still submit a bug report for a plugin, however, as WordPress’s admins will send the record to the affected plugin’s developers.

As with most other VRPs, WordPress requests that participating bug bounty hunters provide information on how to validate a vulnerability along with a Proof of Concept (PoC). It also asks that security researchers don’t modify or delete any information on live sites and that they wait an appropriate amount of time before publishing details of any discovered vulnerability.

 

Think we missed an essential bug bounty program? Let us know in the comments!

['om_loaded']
['om_loaded']