9 of the Biggest Bug Bounty Programs
These programs stand out for the size of their rewards and how much they have paid in total to security researchers in bounties over the last several years.
August 11, 2017
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt634ef97b99b71b48/64f0d820bf9134e30b85307f/01-bughunting.jpg?width=700&auto=webp&quality=80&disable=upscale)
Bug bounty programs have become an increasingly popular way for organizations to find and fix vulnerabilities in their software and services.
Until relatively recently it was mainly the software companies and technology firms that employed the tactic.
However, over the last two years or so a growing number of other organizations—such as airlines, automobile companies and financial firms—have begun crowdsourcing their vulnerability discovery via formal bug hunting programs as well.
The primary appeal of these programs is that they give organizations—especially resource strapped ones—a relatively low cost way to discover security holes they might have missed otherwise.
Bug bounty coordination firms such as HackerOne and BugCrowd have both reported widespread interest in their services from organizations across the spectrum. Both maintain rosters of thousands of security researchers.
"We are seeing adoption continue to grow as enterprises are recognizing that bug bounty programs are a key aspect of their security program," says David Baker vice president of operations at BugCrowd.
Just this week for instance BugCrowd announced that it had launched a bug bounty program for a secret customer. What made the announcement significant is the maxium reward of $250,000 that is being offered under the program—one of the highest payouts in the industry. Any researcher can apply for the program but only those selected can participate.
"As the model gains traction, it’s attracted more traditional businesses looking to combat the impact of a growing and changing attack surface and motivated adversaries," Baker says.
Here in no order are some of the top bug bounty programs:
Over the years Microsoft has launched multiple bug bounty programs covering a wide range of products. But with a top reward of $250,000, the Windows Bug Bounty program that it launched in July stands out for having one of the largest payouts for bug discovery offered by a technology vendor. The program covers Windows 10 including Windows Insider Preview.
Security researchers who find a remote code execution, elevation of privilege, or other critical flaw in Microsoft Hyper-V can earn between $5,000 and $250,000. Rewards for Windows 10 mitigation bypass flaws top out at $200,000 while flaws in technologies like Microsoft Edge and Windows Defender Application Guard range from $500 to $30,000.
BugCrowd this week launched a new bug bounty program that offers a top payout of $250,000, which is in line with Microsoft's highest award. Any security researcher can apply to participate unlike invite-only bug hunting programs. However, participation is open to only those actually selected for the program.
According to BugCrowd, security researchers with experience in virtual machine breakout, cross-instance manipulation, exploitation of host components, and advanced application security might want to consider applying for the program.
Google's bug bounty program makes the cut simply because the company has perhaps paid out more in bounties to security researchers than anyone else - at least publicly. Since it launched the vulnerability disclosure program in 2010, Google has paid out over $ 9 million to researchers who have found bugs in Google-owned web services, Google apps, Android, and Chrome. The company has rewarded over 1,000 bug hunters for their vulnerability discoveries with the highest individual payout so far being $100,000.
Individual payouts themselves are fairly modest and range from a mere $100 to slightly over $31,300 for remote code execution flaws, such as command injection and deserialization bugs.
Perhaps no program exemplifies just how lucrative bug hunting can be than Exodus Intelligence's RSP. The program was launched in August 2016 and offers handsome rewards to security researchers that find 0-day vulnerabilities and fully functional exploits for patched ones in certain products.
The program's zero-day hit list includes a maximum reward of $500,000 for iOS exploits, $150,000 for Chrome exploits and $125,000 for exploits in Microsoft Edge. The rewards for these categories are substantially higher than what the vendors themselves offer. Also, unlike vendors who purchase vulnerability information so they can fix their products, Exodus resells the information to its subscribers.
Hack The Pentagon was a U.S. Department of Defense (DoD) bug bounty program that ran between April 2016 and May 2016. In that one month, a total of about 250 vulnerability researchers reported bugs to the Pentagon, of which 138 were found to be eligible for bounties that ranged from $100 to $15,000. In all, the government paid a total of $75,000 for bugs reported in the Pentagon's public-facing websites, under the program.
Hack The Pentagon was the first federal government bug bounty program and the reason it continues to be significant is because it launched a new DoD vulnerability disclosure program. Following the success of the Hack The Pentagon program, the DoD held a Hack The Army and a Hack The Air Force bug bounty program and plans to hold more than a dozen similar challenges.
Apple was one of the last among the major technology vendors to launch a bug bounty program. When it finally did so at Black Hat USA 2016, it came out with an invitation-only rewards program that matched the best in the industry at least in terms of payouts offered. The company for instance currently offers a bounty of up to $200,000 for critical vulnerabilities in its secure boot technologies. Apple promises up to $100,000 for certain types of flaws in its Secure Enclave technology and $50,000 for remotely executable vulnerabilities that allow unauthorized access account data in iCloud.
But high as the rewards appear to be, they apparently aren't enough. Bugs in Apple products, because of their relative rarity, garner much higher prices than the bounties being offered by the company. The $500,000 bounty being offered by Exodus for Apple 0-days is just one example. So bug hunters have not exactly been tripping over themselves reporting their finds to the vendor.
Like Google, Facebook makes the list not so much because of the size of its highest payout but simply because of the amount it has cumulatively paid over the years to researchers who have found security flaws in its products. As of last October, Facebook said it had paid out over $5 million in bounties to bug hunters in five years. In the first half of 2016 alone the company received over 9,000 reports and paid over $611,000 to 149 researchers. In January, this year, Facebook awarded its biggest single bounty ever - $40,000 - to a researcher who discovered a critical remotely executable flaw in a photo-editing tool.
Finnish insurance giant LocalTapiola currently offers the highest bug bounty - $50,000 - on the HackerOne platform. The bug bounty program is private and open only to individuals who have a proven track record and reputation. The company says it has a backlog of researchers on its roster already. It recently paid $18,000 to one hacker but no one has claimed the top prize yet.
Finnish insurance giant LocalTapiola currently offers the highest bug bounty - $50,000 - on the HackerOne platform. The bug bounty program is private and open only to individuals who have a proven track record and reputation. The company says it has a backlog of researchers on its roster already. It recently paid $18,000 to one hacker but no one has claimed the top prize yet.
Bug bounty programs have become an increasingly popular way for organizations to find and fix vulnerabilities in their software and services.
Until relatively recently it was mainly the software companies and technology firms that employed the tactic.
However, over the last two years or so a growing number of other organizations—such as airlines, automobile companies and financial firms—have begun crowdsourcing their vulnerability discovery via formal bug hunting programs as well.
The primary appeal of these programs is that they give organizations—especially resource strapped ones—a relatively low cost way to discover security holes they might have missed otherwise.
Bug bounty coordination firms such as HackerOne and BugCrowd have both reported widespread interest in their services from organizations across the spectrum. Both maintain rosters of thousands of security researchers.
"We are seeing adoption continue to grow as enterprises are recognizing that bug bounty programs are a key aspect of their security program," says David Baker vice president of operations at BugCrowd.
Just this week for instance BugCrowd announced that it had launched a bug bounty program for a secret customer. What made the announcement significant is the maxium reward of $250,000 that is being offered under the program—one of the highest payouts in the industry. Any researcher can apply for the program but only those selected can participate.
"As the model gains traction, it’s attracted more traditional businesses looking to combat the impact of a growing and changing attack surface and motivated adversaries," Baker says.
Here in no order are some of the top bug bounty programs:
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024