14 Essential Bug Bounty Programs of 2019

14 Essential Bug Bounty Programs of 2019
14 Essential Bug Bounty Programs of 2019

14 Essential Bug Bounty Programs of 2019

In 2017, the State of Security printed its most up-to-date listing of very important computer virus bounty frameworks. Numerous organizations and executive entities have introduced their very own vulnerability praise systems (VRPs) since then. With that during thoughts, it’s time for an up to date listing.

Here are 14 very important computer virus bounty systems for 2019.

14. Apple

Website: Invite-only

Minimum Payout: No predetermined quantity

Maximum Payout: $200,000

First introduced in September 2016, Apple’s computer virus bounty program in the beginning welcomed simply two dozen safety researchers who had prior to now reported vulnerabilities they’d discovered within the tech massive’s instrument. The framework has possibly expanded since then to incorporate further computer virus bounty hunters. Without a public web site, on the other hand, it’s tricky to determine any information about this system, together with which moral hackers have claimed bounties.

Ivan Krstic of Apple Security Engineering and Architecture workforce introduced the computer virus bounty program at Black Hat USA 2016. According to him, his employer pays $25,000 for flaws that would permit an actor to realize get right of entry to from a sandboxed procedure to outdoor person information. Meanwhile, it is going to surrender $100,000 to those that can extract information secure by means of Apple’s Secure Enclave era. The best possible bounty is available in at $200,000 for safety problems affecting its firmware.

As reported by means of Motherboard, safety researchers at the moment are sharing iOS vulnerabilities with Apple, and the tech massive is rewarding those folks with bounties for his or her findings.

13. European Union

Website: https://juliareda.eu/2018/12/eu-fossa-bug-bounties/

Minimum Payout: Various

Maximum Payout: Various

European Parliament member Julia Reda introduced that the European Commission can be launching 14 out of a complete of 15 computer virus bounty systems in January 2019. Those computer virus bounties are at no cost and open-source instrument tasks on which quite a lot of establishments of the European Union depend. Anyone is welcome to take part by means of filing insects and vulnerabilities they in finding to the concerned computer virus bounty platforms.

As of this writing, one of the computer virus bounty systems has already long gone are living. This specific vulnerability disclosure framework covers the KeePass password supervisor. Interested events can have till the top of July to record flaws affecting the password supervisor via Intigriti/Deloitte. They can be expecting a praise of €500 for a low-level vulnerability and up to €25,000 for what KeePass considers to be an “exceptional” flaw.

12. Facebook

Website: https://www.facebook.com/whitehat

Minimum Payout: $500

Maximum Payout: No predetermined quantity

Those wishing to qualify for a praise in Facebook’s computer virus bounty program can record a safety factor in Facebook, Atlas, Instagram, WhatsApp and a couple of different qualifying merchandise and acquisitions. There are a couple of safety problems which the social networking platform considers out-of-bounds, on the other hand. For example, researchers who record on social engineering ways, content material injection or denial-of-service (DoS) assaults gained’t be eligible for a bounty.

Under its VRP, Facebook has agreed to pay a minimal of $500 for a responsibly disclosed vulnerability, regardless that some low-severity flaws gained’t qualify a researcher for a bounty. Participating bounty hunters might make a decision to donate their bounties to a charity of a decision. If they elect to take action, Facebook will double the award.

11. GitHub

Website: https://bounty.github.com/

Minimum Payout: $555

Maximum Payout: $20,000

Hundreds of safety researchers have participated in GitHub’s computer virus bounty program since its release in June 2013. Each of them has earned issues for his or her vulnerability submissions relying on a flaw’s severity. Based on their paintings throughout all goals, those that’ve accumulated essentially the most overall issues have secured a place at the VRP’s Leaderboard.

Individuals taking a look to take part in GitHub’s computer virus bounty framework will have to flip their consideration to the developer platform’s API, CSP, Enterprise, Gist and the principle web site. Upon sending over a computer virus record, researchers can be expecting to obtain between $555 and $20,000 as a praise. But they’ll obtain that bounty provided that they appreciate customers’ information and don’t exploit any factor to supply an assault that would hurt the integrity of GitHub’s products and services or data.

10. Google

Website: https://www.google.com/about/appsecurity/reward-program/

Minimum Payout: $100

Maximum Payout: $31,337

Nearly the entire content material within the .google.com, .youtube.com and the .blogger domain names are open for Google’s vulnerability rewards program. The scope of the framework doesn’t follow to weaknesses that would permit anyone to habits phishing assaults towards Google staff. The program covers solely design and implementation problems that have an effect on the confidentiality and integrity of person information. These weaknesses come with XSS vulnerabilities and authentication flaws.

As of this writing, far flung code execution vulnerabilities in programs that allow taking on a Google account, customary Google programs and different delicate programs all internet the best possible bounty of $31,337. These flaws come with sandbox escapes, command injection and deserialization weaknesses. By distinction, a CSRF flaw or clickjacking weak point in non-integrated acquisitions warrants just a $100 praise.

nine. HP

Website: http://hp.com/go/printersthatprotect

Minimum Payout: No predetermined quantity

Maximum Payout: $10,000

In September 2018, Hewlett-Packard (HP) introduced a personal computer virus bounty program via Bugcrowd. The multinational data era corporate introduced its vulnerability analysis framework to underscore “its commitment to deliver the world’s most secure printers.” As such, HP used to be the primary entity to ever release a computer virus bounty program for printing gadgets.

Under its program, HP will be offering safety researchers as much as $10,000 for filing a record on a vulnerability affecting one of its printers. It’s no longer solely transparent how serious those safety weaknesses will have to be to warrant this point of payout. However, a case learn about printed by means of Bugcrowd did disclose that the common precedence point of flaws reported to HP up to now used to be 2.34.

eight. Intel

Website: https://security-center.intel.com/BugBountyProgram.aspx

Minimum Payout: $500

Maximum Payout: $100,000

Revealed on the CanSecWest Security Conference in March 2017, Intel’s computer virus bounty program goals the corporate’s (processors, chipsets, cast state drives, and so on.), firmware (BIOS, Intel Management Engine, motherboards, and so on.) and instrument (software drivers, programs, and equipment). It does no longer come with contemporary acquisitions, the corporate’s internet infrastructure, third-party merchandise, or the rest in relation to McAfee, a former Intel subsidiary

For a important vulnerability found out within the corporate’s , researchers can be expecting to obtain a bounty of as much as $100,000. On the opposite finish of the spectrum, a low-severity vulnerability affecting Intel’s instrument will internet a bounty hunter as much as $500. With that stated, if any individual has a historical past of shunning coordinated disclosure or is a circle of relatives member of an Intel worker, the corporate will perhaps no longer admit them to its program.

7. Microsoft

Website: https://technet.microsoft.com/en-us/library/dn425036.aspx

Minimum Payout: No predetermined quantity

Maximum Payout: $250,000

The energetic bounties underneath Microsoft’s VRP alternate continuously. As of this writing, researchers can earn as much as $15,000 for locating vulnerabilities in appropriate Microsoft cloud products and services. Those on the lookout for a larger payout can glance to find Mitigation bypass problems or important far flung code execution in Hyper-V, insects which is able to internet bounty hunters rewards of an quantity as much as $100,000 and $250,000, respectively.

In July 2017, Microsoft introduced a Windows computer virus bounty program. Under that framework, those that publish stories for an eligible vulnerability affecting Windows Insider Preview can hope to gather between $500 and $15,000. A sister program for Windows Defender Application Guard (WDAG) upped the utmost payout to $30,000. Interested events can be told extra about the entire systems that fall underneath the Windows computer virus bounty framework right here.

6. Mozilla

Website: https://www.mozilla.org/en-US/security/bug-bounty/

Minimum Payout: $100

Maximum Payout: $10,000+

Mozilla introduced one of the primary fashionable computer virus bounty systems in 2004. Thirteen years later, the not-for-profit group in the back of the preferred Firefox internet browser relaunched its program. Its VRP nowadays welcomes safety researchers who agree not to regulate, delete or retailer person information of their trying out of Mozilla’s instrument.

Currently, Mozilla runs two other computer virus bounty systems. The first is the group’s Client Bug Bounty Program in which researchers might record a far flung exploit, the motive of a privilege escalation or a data leak in publicly launched variations of Firefox or Firefox for Android. Participating researchers can obtain $500 for reporting a average vulnerability and doubtlessly over $10,000 for locating a unique vulnerability and exploit, new shape of exploitation or an outstanding vulnerability.

The not-for-profit group additionally runs a Web and Services Bug Bounty Program. This specific framework welcomes safety researchers to record on weaknesses from far flung code execution insects affecting important internet sites, which include a $five,000 award, to area takeover gaps affecting domain names outdoor *.mozilla.org, *.mozilla.com, *.mozilla.internet, and *.firefox.com, which will internet researchers $100.

five. Netflix

Website: https://bugcrowd.com/netflix

Minimum Payout: $200

Maximum Payout: $20,000

In March 2018, Netflix introduced a public bounty program for the primary time after operating with the protection group via systems like accountable disclosure and personal computer virus bounty over the former 5 years. This public framework considers www.netflix.com, api*.netflix.com and the Netflix cellular apps for iOS and Android, amongst different belongings, to be in-scope. It does no longer quilt third-party internet sites hosted by means of non-Netflix entities, Netflix software shopper programs, jobs.netflix.com, media.netflix.com or ir.netflix.com.

Operating inside of the ones parameters, safety researchers who record an XSS, CSRF, SQLi or an identical flaw affecting www.netflix.com or every other one of this system’s “primary” goals could possibly gather a bounty as excessive as $20,000. Lower bounty quantities of $200 and up are to be had for lesser-priority weaknesses.

four. Pentagon

Website: https://www.hackerone.com/resources/hack-the-pentagon

Minimum Payout: $100

Maximum Payout: $15,000

First examined in a “pilot run” between April and May 2016, “Hack the Pentagon” is a computer virus bounty program designed to spot and get to the bottom of safety vulnerabilities that have an effect on public-facing internet sites operated by means of the United States Department of Defense (DoD). The company’s Digital Defense Service (DDS) created the framework in partnership with HackerOne. Since then, it’s expanded this system to different departments, together with “Hack the Army.”

In overall, 1,410 researchers and insect bounty hunters registered to participate within the problem. Of the ones, 250 moral hackers found out a complete of 138 vulnerabilities which Defense Media Activity (DMA) deemed had been legitimate and distinctive. As a consequence, the DoD awarded roughly $75,000 to safety researchers in this system’s first yr on my own.

three. Tor Project

Website: https://hackerone.com/torproject

Minimum Payout: $100

Maximum Payout: $four,000

Launched in July 2017, the Tor Project’s computer virus bounty program covers two of its core anonymizing products and services: its community daemon and browser. Each of the ones goals comes with its personal set of cost tiers and restrictions.

For the Tor Network, safety researchers can earn between $100 and $four,000 relying at the severity of the computer virus they discovery. They too can gather a bounty of as much as $2,000 for reporting a flaw in a single of the third-party libraries utilized by Tor. (OpenSSL is excluded, however libevent is in scope.) Meanwhile, bounty earners can obtain a praise of greater than $three,000 for reporting a complete proxy bypass or in a similar way high-severity weak point within the Tor Browser.

2. Uber

Website: https://hackerone.com/uber

Minimum Payout: $500

Maximum Payout: $10,000

The vulnerability rewards program for the ridesharing platform is basically enthusiastic about protective the knowledge of customers and its staff. As such, some of the in-scope vulnerability classes come with problems in which an attacker may just acquire get right of entry to to a person’s or worker’s information with out authorization, forge authenticated requests at the behalf of a sufferer and perform phishing assaults towards customers. These safety flaw categories follow to uber.com, companions.uber.com, eats.uber.com and different domain names. But the ones vulnerability sorts don’t come with weaknesses like spear phishing that fail to take advantage of a technical factor.

Uber calculates the protection affect of each and every vulnerability disclosed to it by means of taking into consideration multiplying components, corresponding to scale of publicity and delicate of person information uncovered in addition to whether or not components like person interplay or bodily get right of entry to limits the severity of the flaw. It then usually rewards a bounty of between $500 and $10,000. (The phishing bucket vary lets in for a most payout of $five,000 in line with vulnerability.)

1. WordPress

Website: https://hackerone.com/wordpress

Minimum Payout: $150

Maximum Payout: No predetermined quantity

WordPress is basically concerned about cross-site scripting (XSS) insects, server-side request forgery (SSRF) weaknesses and different vulnerabilities that undermine the protection or privateness of its customers. It’s no longer concerned about brute-force, DDoS, phishing or different social engineering assaults. Additionally, this system doesn’t believe plugins in scope, as maximum of the ones systems are evolved by means of exterior organizations. Researchers can nonetheless publish a computer virus record for a plugin, on the other hand, as WordPress’s admins will ship the report to the affected plugin’s builders.

As with maximum different VRPs, WordPress requests that taking part computer virus bounty hunters supply data on validate a vulnerability in conjunction with a Proof of Concept (PoC). It additionally asks that safety researchers don’t regulate or delete any data on are living websites and that they wait a suitable quantity of time prior to publishing main points of any found out vulnerability.


Think we overlooked an very important computer virus bounty program? Let us know within the feedback!


Please enter your comment!
Please enter your name here