In 2019, the State of Security published its most recent list of essential bug bounty frameworks. Numerous organizations and government entities have launched their own vulnerability reward programs (VRPs) since then. COVID-19 has changed the digital security landscape, as well. With that in mind, it’s time for an updated list.
Here are 10 essential bug bounty programs for 2020. (These frameworks are not ranked but are rather listed in alphabetical order.)
Minimum Payout: $5,000
Maximum Payout: $1 million
First announced at Black Hat USA 2016, Apple’s bug bounty program originally welcomed just two dozen security researchers who had previously reported vulnerabilities they had found in the tech giant’s software. The tech firm later opened its bug bounty program to all security researchers, as reported by The Verge in December 2019.
Apple will pay $25,000 for flaws that could allow an actor to gain unauthorized access to a user’s iCloud account. Meanwhile, it will hand over $100,000 to those who can partially extract data from a locked device after first unlock. The highest bounty comes in at $1 million for a zero-click remote chain with full kernel execution and persistence.
Minimum Payout: $500
Maximum Payout: No predetermined amount
Those wishing to qualify for a reward in Facebook’s bug bounty program can report a security issue in Facebook, Atlas, Instagram, WhatsApp and a few other qualifying products and acquisitions. There are a few security issues which the social networking platform considers out-of-bounds, however. For instance, researchers who report on social engineering techniques, content injection or denial-of-service (DoS) attacks won’t be eligible for a bounty.
Under its VRP, Facebook has agreed to pay a minimum of $500 for a responsibly disclosed vulnerability, though some low-severity flaws won’t qualify a researcher for a bounty. Participating bounty hunters may decide to donate their bounties to a charity of a choice. If they elect to do so, Facebook will double the award.
In February 2020, Facebook revealed that it had awarded $2.2 million to researchers from over 60 countries as part of its bug bounty program. A month later, the social networking platform rewarded $55,000 to researcher Amol Baikar that allowed an actor to hijack access tokens when a user attempted to authenticate themselves on other websites via Facebook.
Minimum Payout: $617
Maximum Payout: $30,000+
Hundreds of security researchers have participated in GitHub’s bug bounty program since its launch in June 2013. Each of them has earned points for their vulnerability submissions depending on a flaw’s severity. Based on their work across all targets, those who’ve amassed the most points have secured a position on the VRP’s Leaderboard.
Individuals looking to participate in GitHub’s bug bounty framework should turn their attention to the developer platform’s API, CSP, Enterprise, Gist, the main website and all first-party services. Upon sending over a bug report, researchers can expect to receive between $617 and $30,000+ as a reward. But they’ll receive that bounty only if they respect users’ data and don’t exploit any issue to produce an attack that could harm the integrity of GitHub’s services or information.
In March 2020, GitHub announced that its total payments to researchers had surpassed $1 million in 2019. It paid out $590,000 in rewards that year alone.
Minimum Payout: $100
Maximum Payout: $31,337
Nearly all the content in the .google.com, .youtube.com and the .blogger domains are open for Google’s vulnerability rewards program. The scope of the framework doesn’t apply to weaknesses that could allow someone to conduct phishing attacks against Google employees. The program covers only design and implementation issues that affect the confidentiality and integrity of user data. These weaknesses include XSS vulnerabilities and authentication flaws.
As of this writing, remote code execution vulnerabilities in applications that permit taking over a Google account, normal Google applications and other sensitive applications all net the highest bounty of $31,337. These flaws include sandbox escapes, command injection and deserialization weaknesses. By contrast, a CSRF flaw or clickjacking weakness in non-integrated acquisitions warrants only a $100 reward.
In many respects, 2019 was a big year for Google and its bug bounty programs. In August, the tech giant announced that it had expanded the scope of its Google Play Security Reward Program to include all Google Play apps with over 100 million downloads. It also unveiled the creation of its Developer Data Protection Reward Program at that time. The final change came a few months later when Google increased the maximum payout for its Android bug bounty framework to $1.5 million.
Across all these programs, Google gave out $6.5 million in rewards to researchers in 2019.
Minimum Payout: $500
Maximum Payout: $15,000+
Launched in 2013, HackerOne’s bug bounty program covers nine different domains of the company’s website. On https://hackerone.com, for instance, security researchers can earn at least $500 for a low-severity flaw. The price increases to at least $15,000 for a critical vulnerability. The same award scheme applies to three other domains: https://hackerone-us-west-2-production-attachments.s3-us-west-2.amazonaws.com/, https://api.hackerone.com and *.vpn.hackerone.net. For the remaining domains, researchers can earn between $500 and $7,500 for a security flaw of Low to High severity.
That being said, HackerOne does make clear on its website that it will accept bugs that lay outside of the scope of its bug bounty program. As some examples, HackerOne mentioned a third party leaking sensitive data, a vulnerability that affects the company’s services or another threat that jeopardizes HackerOne.
For a list of other organizations’ bug bounty programs offered by HackerOne, click here.
Minimum Payout: $500
Maximum Payout: $100,000
Revealed at the CanSecWest Security Conference in March 2017, Intel’s bug bounty program targets the company’s hardware (processors, chipsets, solid state drives, etc.), firmware (BIOS, Intel Management Engine, motherboards, etc.) and software (device drivers, applications, and tools). It does not include recent acquisitions, the company’s web infrastructure, third-party products, or anything relating to McAfee, a former Intel subsidiary
For a critical vulnerability discovered in the company’s hardware, researchers can expect to receive a bounty of up to $100,000. On the other end of the spectrum, a low-severity vulnerability affecting Intel’s software will net a bounty hunter up to $500. With that said, if anyone has a history of shunning coordinated disclosure or is a family member of an Intel employee, the company will most likely not admit them to its program.
Intel patched 236 vulnerabilities in 2019, reported ZDNet. Just 15% of the security flaws were CPU-related weaknesses.
Minimum Payout: No predetermined amount
Maximum Payout: $250,000
The active bounties under Microsoft’s VRP change constantly. As of this writing, researchers can earn up to $100,000 for discovering vulnerabilities in applicable Microsoft cloud services. Those looking for a bigger payout can look to discover mitigation bypass issues or critical remote code execution in Hyper-V, bugs which will net bounty hunters rewards of an amount up to $100,000 and $250,000, respectively.
In July 2017, Microsoft launched a Windows bug bounty program. Under that framework, those who submit reports for an eligible vulnerability affecting Windows Insider Preview can hope to collect up to $30,000. A sister program for Windows Defender Application Guard (WDAG) carries the same maximum payout.
Since then, Microsoft has launched bug bounty programs for Xbox, IoT security and election software. Interested parties can learn more about all the programs that fall under the Windows bug bounty framework here.
Minimum Payout: $100
Maximum Payout: $10,000+
Mozilla launched one of the first modern bug bounty programs in 2004. Thirteen years later, the not-for-profit organization behind the popular Firefox web browser relaunched its program. Its VRP today welcomes security researchers who agree to not modify, delete or store user data in their testing of Mozilla’s software.
Currently, Mozilla runs two different bug bounty programs. The first is the organization’s Client Bug Bounty Program through which researchers may report a remote exploit, the cause of a privilege escalation or an information leak in publicly released versions of Firefox or Firefox for Android. Participating researchers can receive $500 for reporting a low-impact vulnerability and potentially over $10,000 for finding a sandbox escape or other critical security flaw.
The not-for-profit organization also runs a Web and Services Bug Bounty Program. This particular framework welcomes security researchers to report on weaknesses from remote code execution bugs affecting critical websites, which come with a $15,000 award, to domain takeover gaps affecting domains outside *.mozilla.org, *.mozilla.com, *.mozilla.net, and *.firefox.com, which can net researchers $200.
Minimum Payout: $100
Maximum Payout: $15,000
First tested in a “pilot run” between April and May 2016, “Hack the Pentagon” is a bug bounty program designed to identify and resolve security vulnerabilities that affect public-facing websites operated by the United States Department of Defense (DoD). The agency’s Digital Defense Service (DDS) created the framework in partnership with HackerOne. Since then, it’s expanded the program to other departments, including “Hack the Army.”
In total, 1,410 researchers and bug bounty hunters registered to take part in the initial challenge. Of those, 250 ethical hackers discovered a total of 138 vulnerabilities which Defense Media Activity (DMA) deemed were valid and unique. As a result, the DoD awarded approximately $75,000 to security researchers in the program’s first year alone.
The Department of Defense’s bug bounty program has already yielded hundreds of security vulnerabilities in 2020. For instance, the “Hack the Army 2.0” program unearthed over 145 flaws. “Hack the Air Force 4.0” uncovered even more at over 460 flaws.
Zoom Video Communications, Inc. used to host a bug bounty program on HackerOne. The company still has a page on the vulnerability research platform. While it specifies what types of vulnerabilities are out-of-scope for Zoom’s program, the page doesn’t provide additional details about the scheme. Instead, it instructs security researchers to contact Zoom’s security team.
Following the global outbreak of COVID-19, security researchers discovered numerous issues affecting the video communications platform. The company subsequently partnered with Luta Security to revise its bug bounty program. As of this writing, Zoom was soliciting feedback from security researchers on improving its vulnerability research framework.
Think we missed an essential bug bounty program? Let us know on Twitter.