Bug bounty programs have gained popularity in recent years, spurred on particularly strongly by the pandemic
What Is a Bug Bounty?
A bug bounty is a program implemented by companies to engage security researchers and ethical hackers in identifying and reporting security vulnerabilities. In exchange for their services, these programs offer prizes, ranging from public recognition, inclusion in “halls of fame”, free merch and swag to monetary rewards. The scope of the program and its rules of engagement are set by the organisation, and in some cases, the program will specify reporting guidelines and a threshold it considers a bug to be reportable as an issue.
These programs enable companies to leverage the specialised skills and expertise of a diverse community of security experts, especially on open programs. The bug hunters can employ tailored approaches and custom tools to detect bugs according to the company’s environment. When a vulnerability is found, the researcher submits a detailed report to the company, which verifies and assesses its severity. Valid vulnerabilities may earn bug bounty hunters a reward based on the severity of the vulnerability. Generally, each program will outline tiers for their rewards, and often, the rewards can vary based on the product or solution they were discovered in.
Many bug bounty programs and platforms, such as HackerOne and BugCrown, are open to the public. However, some programs are invite-only. After all, confidentiality restraints might mean the company selects specific bug hunters for the job.
Top Bug Bounty Platforms
Here are some top bug bounty programs that are publicly available to anyone. You can always apply through their websites.
1) Microsoft
The Microsoft bug bounty programs encourage researchers to identify and report vulnerabilities and bugs within their systems. At the time of writing, Microsoft has three separate bug bounty programs for Cloud, Platform, Defense, and Grant. Microsoft’s Programs exclude attacks that require a physical aspect as well as Social Engineering.
- Pros: High cash rewards and varied attack targets.
- Cons: High threshold for vulnerabilities.
- Amount payable: The rewards range from $15,000-$250,000.
2) Google
Google’s vulnerability rewards program spans a wide range of content, including YouTube and Blogger. Google also has a Bug Hunter University that helps aspiring bug hunters learn new skills and level up existing skills critical to identifying bugs. Google’s Bug Hunters program is open to any security researcher who can apply for the position to find bugs and report them.
- Pros: Good learning resources and fast response times to bug reports.
- Cons: At the time of writing, rewards are relatively low compared to others on the list. However, it should be noted that reward amounts are indicative, and Google’s all-time highest payout is $605,000.
- Amount payable: Rewards range from $100 for ‘Execute code on the client’ and ‘Other valid security vulnerabilities’ in the ‘Non-integrated acquisitions and other sandboxed or lower priority applications’ to $31,337 for higher priority vulnerabilities such as remote code execution in Applications that permit taking over a Google account.
3) Apple
The Apple Security Bounty is split into two categories, Products and Services, and both offer very good cash incentives for bug discovery. In addition to their Open Security Bounty program, Apple can provide unlocked research devices to bug hunters that can assist them with their research by allowing them to focus on specific security issues without worrying about unravelling all of the device’s security features. The Security Research Device (SRD) program is closed and requires the bug hunter to demonstrate that they have identified bugs in Apple or other modern equivalent operating systems and platforms.
- Pros: Very good cash rewards.
- Cons: The Security Research Device program is only available to experienced bug hunters.
- Amount payable: Rewards range from $500 to $1,000,000 with potential extra bonuses of $1,500,000 to $2,000,000.
4) Yahoo
The Yahoo bug bounty program offers rewards for a wide array of vulnerabilities if security researchers discover and submit bug reports. At Yahoo’s sole discretion, qualifying bugs are rewarded according to severity. Yahoo uses two Bug Bounty platforms, HackerOne and Intigriti, to list its program. Unfortunately the Yahoo program has been criticised in the past for poor rewards and payouts. Fortunately, Yahoo now has a fairly comparable program to others on the list and has paid out more than $23 Million at the time of writing.
- Pros: The program is available on reputable Bug Bounty platforms.
- Cons: Poor but improving historical program reputation.
- Amount payable: Rewards range from $100 to $15,000.
5) Meta
Meta is one of the largest companies globally, so it makes sense that they offer bug bounties for vulnerability disclosure within their software. The Meta bug bounty covers Facebook, Instagram, and WhatsApp and extends to the Metaverse, including physical products like Meta Quest and Ray-Ban Stories. Meta’s Hacker Plus loyalty bug bounty rewards program includes a semi-gamified league system with rewards, including cash multiplier bonuses, depending on the tier that the bug hunter achieves.
- Pros: Gamified league table with multiplier bonuses and rewards based on achieved tier.
- Cons: Mature security program, so bugs are hard.
- Amount payable: Payouts range from $500 to $300k.
Summary
Bug bounty programs have become integral to companies’ security strategies, allowing them to tap into the expertise of independent security researchers and ethical hackers. These programs create a collaborative environment where vulnerabilities can be identified and reported, improving security structures. By leveraging the skills of a diverse community of experts, bug bounty programs contribute to strengthening cybersecurity practices and ensuring the protection of digital ecosystems.
