Hacking is constantly misunderstood in pop culture.
From an 11-year-old crashing Wall Street and flying through 3D landscapes in Hackers to “hacking” an entire city in Watch Dogs, it’s easy to see why it’s seen as an extreme and dangerous hobby to have.
In reality, there are plenty of “white-hat” (well-intentioned) hackers who help companies to identify security weaknesses in their programs through bug bounties.
So, to de-mystify the air around bug bounty programs and white-hat hacking, this post will show you:
- What bug bounties are
- How you can start earning money through them
- What to consider when setting up your own bug bounty program
- 20 examples of top bug bounty programs you can take inspiration from or take part in yourself
Let’s get started.
What are bug bounties?
Bug bounties (or “bug bounty programs”) is the name given to a deal where you can find “bugs” in a piece of software, website, and so on, in exchange for money, recognition or both.
Think of it as offering a prize to anyone who can find security issues so that they can be fixed before they become an issue.
Bug bounties given out by companies usually have strict rules which submissions need to follow in order to be accepted or considered eligible for payment. This is partially to protect the company from spam but also to make it easier to fix any problems which are identified.
For example, one common rule is that any bug found should not be shared with anyone else until the website offering the bounty has been informed. That way the vulnerability can be fixed before others know it’s there.
What does it take to hunt bugs?
Earning a living from bug hunting isn’t easy, even for the top performers. With work based on results rather than any kind of guaranteed salary, everything hinges on your ability to select good bounty programs and perform well.
This isn’t Hackers – you can’t sit in front of a computer and fly through a 3D environment. You need hard knowledge and experience with bug hunting and penetration testing to get anywhere.
Thankfully, you don’t have to piece everything together yourself.
He lays out the following basic steps to becoming a bug hunter:
- Read the basics of penetration testing and bug hunting
- Practice on vulnerable applications and systems
- Check out what other hackers are doing
- Take part in the community
- Learn the basics of bug bounties
- Start by hacking the “kudos only” programs (like Process Street’s program)
- Keep learning and networking
- Work your way up to paid bounties
Again, I’d highly recommend checking out Sam Houston’s guide in full for details and some great resources to help you at every step.
You can also check out this pen-test process of ours which you can add to your account and edit to meet your needs:
The pros and cons of bug bounty programs
Bug bounty pros
The main advantages of bug bounties are as follows:
- More bugs will be found due to the wider scope of applicants (vs in-house)
- Bugs are more likely to be identified before they do damage
- The more people you have checking your code, the less likely major bugs are to slip through the cracks
- The time that would be spent on fine-combing your software can be spent on other projects
The benefits here are pretty self-explanatory, and almost entirely stem from the decision to incentivize your audience to find errors in your software and tell you (rather than others finding them to exploit them).
In a way, the benefits are similar to that of remote hiring.
You’re no longer limited to the talents available to your team locally, as reports can be submitted from anywhere in the world. This means that you’ll benefit from a larger pool of candidates than you have in-house and make use of the best talent available from across the world.
Due to the extra hands, it’s far more likely that any major bugs or security gaps will be identified before they cause an issue or others with more malicious intents discover them.
It’s better for a bug hunter to find your problems than a malicious hacker.
Finally, any time saved by bug bounty hunters finding issues rather than your team having to trawl through your program to find the route of the problem can be spent on other tasks. More effort can be put towards fixing and improving your service instead of just digging to the cause of an error or weakness.
Bug bounty cons
Bug bounties aren’t all smooth sailing – they have many drawbacks which are easily (and wrongly) glossed over when considering the positives.
- Bug bounty programs require extra time and resources to manage, review, and act on
- Having a program incentivizes others to attempt to break your software no matter their intentions
- Tests by researchers can be difficult to tell apart from malicious attacks
- Researchers who feel badly treated may instead sell the bug information to other sources
First up is the big one. You might think that a bug bounty program will free up your time and money to do other things.
That’s not entirely true.
Bug bounty programs take careful management to run effectively, and at the very least will need staff dedicating their time to review the submitted pieces to assess whether the researcher meets the criteria for payment.
Not to mention that it can pay dividends to have someone to interact with the community hunting your bugs. Remember that these are people who have the ability to break your programs – it’s much better for you to maintain a good relationship with them. You may even get the attention of more skilled bug hunters as a result.
However, the very existence of bug bounties will incentivize people to break your software no matter their background or intentions. You’ll get white-hat hackers, black-hat hackers, script kiddies, and everything in-between.
Some will genuinely want to find bugs and report them to you. Others may want to ransom the bugs they find back to you (or to another party). Others still may just want to break your service for the hell of it.
Plus, if a relationship with a researcher goes sour (eg, there’s a payment dispute) there’s a chance that they will use that as motivation to ransom off your security breaches.
All in all, bug bounties shouldn’t be undertaken by anyone who isn’t prepared to manage the submissions effectively and deal with the potential consequences.
Bug bounties aren’t a “set it and forget it” practice. Doing so is akin to hanging a sign on your virtual front door saying “Please hack me”.
What’s the reward?
Rewards vary wildly depending on the company offering the bounty, the severity of the bug, and how much information you can give them.
At the bottom end, you might get absolutely nothing for solving a minor issue, poorly formatting your submission or not including enough information to make the bug repeatable.
On the top end, Microsoft paid $200,000 to Vasilis Pappas in 2012 for identifying a security vulnerability and creating a program to deal with it.
Again, the bounty payout depends largely on the company offering it and the scope of the bug you find. Those who make a full-time job of hunting bugs don’t tend to earn a big paycheck habitually though.
Companies can also offer recognition for those who manage to find bugs through a “hall of fame” – this is usually a page linked to their bug bounty program. While it’s a less desirable reward than payment, for smaller companies with limited resources this can be their only option.
The final reward is much, much rarer than any of the others. Sometimes those who find key bugs and weaknesses in a company will get an offer to work for the company they pick apart.
For example, Nicholas Allegra ‘Comex’ received an internship with Apple after creating a website which allowed iPad and iPhone users to jailbreak their devices.
It doesn’t happen often but it’s certainly not unheard of that companies would want to take advantage of the best talent they can find.
Process Street’s bug bounties
We take our security very seriously but we also know that our team can’t possibly cover every contingency. That’s why we’re more than open to any reports of vulnerabilities from those who:
- Ensure that the vulnerability is not publicly disclosed before we’ve had a reasonable period of time to fix it
- Keep communication channels open to allow effective collaboration
While we can’t offer a cash prize, we have a Security Research Hall of Fame set up and ready to be filled with anyone who helps us to make sure everything is watertight.
We’ll also include a link to you in this hall of fame so that anyone looking at our bug bounty project can reach out to our top performers.
If you want to take part and manage to find a security vulnerability in our site or platforms, please email our security team. To help us work with you (and to avoid asking you annoying questions) it’d be great if you could include the following details with your report:
- A description of the location and potential impact of the vulnerability
- A detailed description of the steps required to reproduce the vulnerability
- Your name/handle and a link for recognition in our Security Researcher Hall of Fame.
Top 20 bug bounties list
- Link: https://bugcrowd.com/agilebits
- Reward: $100 – $100,000
The 1Password bug bounty program comes with an official warning that it is not an easy target. Being a password storage app, you can understand why their security would be difficult to break into.
1Password doesn’t want researchers to fail though. In fact, once you opt-in, you’ll get access to a research vault containing information to help you find security issues.
Their rewards vary wildly depending on the severity of the issue found and the top $100k prize is only awarded for finding the ‘unencrypted “bad poetry” flag’ but it’s certainly interesting to see less of a bug program and more of a challenge to those who think they’re up to it.
- Link: https://hackerone.com/airtable
- Reward: $100 – $10,000
Airtable is a fantastic app which we often talk about here on the Process Street blog, and anyone who helps to make it a more secure service is a hero in our books.
Their bug bounty plan is fairly standard, with payments based on the severity of the issue found. The main difference with previous entries in this list is that they ask that all researchers only use their staging environment over at staging.airtable.com.
- Link: Invite-only
- Reward: $25,000 – $200,000
Launched back in 2016, Apple’s bug bounty program is an exclusive club. Having started with only 12 appointed researchers and standing as an invite-only program, it’s unlikely that you’ll get into the program by simply submitting a bug through their support channel.
However, for our purposes, it does a great job of showing the kind of money bug bounties can pay out at the top end.
- Link: https://hackerone.com/blockchain
- Reward: $50 – $2,000
With the boom of cryptocurrency came a dire need of security in these lucrative markets, and Blockchain has a bug bounty program to help boost their efforts.
With an average bounty of $100, an average response time of 4 hours, and an average of 21 hours until the bounty is awarded (at the time of writing), Blockchain treats their researchers’ time with respect. That is, as long as you meet their rules when submitting your bug.
- Link: https://hackerone.com/blockimmo
- Reward: $250 – $10,000
Being less popular can be a good thing in a business like bug hunting. That means fewer people are competing for the same bounty on the same site.
So, if you want to try your hand at a less-contested site, give blockimmo a try.
- Link: https://hackerone.com/deliveroo
- Reward: $150 – $2,500
There’s not too much special about Deliveroo’s bug bounty program – it’s a standard affair of focusing on the security of customer data and their services.
However, being par-for-the-course doesn’t make it any less viable for those looking to earn money through bug bounty hunting.
Plus, on a personal note, I find it funny (and a little worrying) that their rules have to specify that physical attacks on their property do not count as a valid bug bounty.
- Link: https://hackerone.com/dropbox
- Reward: $216 – $32,768 (no set maximum)
Dropbox is another case of bug bounty researchers treading a very fine line with the companies they’re testing.
For one thing, their rules and exceptions list is the largest of any company so far. For another, they make it very clear that no user data should be accessed and, if it is, Dropbox should be notified ASAP and the data not examined, changed or otherwise interfered with.
Other than that, their bug bounties are a more than acceptable choice if you’re trying to earn a living doing this full-time. With a total payout (at the time of writing) of $295,317, they’re far from shy to give rewards to those who find valid vulnerabilities.
- Link: https://www.facebook.com/whitehat
- Reward: Minimum $500
Facebook’s bug bounty program is much more accessible, allowing anyone to submit bugs through their premade form. As long as the vulnerability is of a reasonable level of importance and your submission meets their rules, the minimum bounty payout is a tidy $500.
They also list every researcher who received a payout for submitting a bug in their thanks page.
- Link: https://bounty.github.com/
- Reward: $617 – $30,000
With a snazzy leaderboard, custom badges for contributors and enough supplementary information to sink the Titanic, GitHub have an almost inspirational bug bounty program set up.
If you’re sick and tired of trying to submit bug bounties, only to be rejected due to the company not making their rules clear enough, this is a great place to jump in.
- Link: https://www.google.com/about/appsecurity/reward-program/
- Reward: $100 – $31,337
Google is very particular about the bugs submitted to them but has one of the largest scopes of any other program. Everything under the .google.com, .youtube.com, and .blogger domains is fair game, aside from issues which they consider to be low-risk.
Thankfully, unlike many others, Google has published a “Bug Hunter University” through which researchers can learn how to improve their reports, which issues qualify for a reward and which don’t, and report their issues.
- Link: https://hackerone.com/grammarly
- Rewards: $250 – $7,000
Grammarly has saved my skin more times than I can count. It’s a truly fantastic service which can make the life of anyone who earns a living online much easier to handle.
In terms of their bug bounty program, the main point which sticks out is that they directly state their dedication to not wasting the time of researchers who contact them.
To that end, they vow to get back to you within 3 business days and make a bounty determination (after verifying the threat) within 10 business days.
- Link: https://hackerone.com/hyperledger
- Reward: $200 – $2,000
Despite this extra information, however, few reports have been solved (6 at the time of writing) compared to many other entries on this list. This makes it another decent candidate for a less-contested platform if you’re looking for something else to sink your research teeth into.
- Link: Invite-only
- Reward: Unknown ($65,000 paid out in 9 months)
LinkedIn’s bug bounty program comes with an unusually pleasant story of its founding. After trawling through many security report submissions which were sub-par, the LinkedIn team found that a core group of people performed consistently well.
“… a smaller group of researchers emerged who always provided excellent write-ups, were a pleasure to work with and genuinely expressed concerned about reducing risk introduced by vulnerabilities.” – Cory Scott, LinkedIn’s Private Bug Bounty Program
This led to the creation of their private program and the invitation of those high performers to continue finding bugs but for cash rewards this time.
- Link: https://www.microsoft.com/en-us/msrc/bounty
- Reward: No lower limit – $250,000
As you might expect coming from Microsoft, the potential bounty payouts here are huge. With up to $250,000 up for grabs, you can bet your bottom dollar that their bugs are going to be highly contested amongst those looking to earn a living through bug hunting.
All in all, it’s a solid bug bounty program to go after but, considering the potential rewards, the size of the company, and the resources they already have on hand, it’s best to not expect the path to a bounty to be easy.
- Link: https://www.mozilla.org/en-US/security/bug-bounty/
- Reward: $100 – $10,000+
Each program pays differently depending on the severity of the bug found but the client bounty program pays the most at the top end. That is, the client program has a top prize of $10,000 while the web program ends with a maximum reward of $5,000.
- Link: https://bugcrowd.com/netflix
- Reward: $200 – $20,000
Netflix should need no introduction at this point but the streaming giant’s success also makes it a much bigger target for malicious hackers. Hence their bug bounty program.
There’s not much to say to differentiate the program itself from the others on this list, although it’s worth noting that they have an exceptional response rate when it comes to bug reports.
With an average payout of $1,220.45 (at the time of writing) and 75% of reports validated or rejected within 2 days, it hits a sweet spot in the balance of fast replies and good rewards.
- Link: https://hackerone.com/nintendo
- Reward: $100 – $20,000
Let’s mix things up with a gaming company this time. The owner of Mario and Zelda is offering rewards to anyone who can find exploits relating to piracy and/or cheating on their newer consoles.
This is due to Nintendo’s profits coming from their newer products – they don’t receive anything for the reselling of old consoles or games, so their anti-piracy and cheating focus will naturally fall off as soon as there’s a new model to replace the old one.
- Link: https://slack-files.com/T2C8V3QM6-F2C8VAE9L-57d0d1dd01
- Reward: $100 – $10,000
With 864 resolved reports and $443,216 total bounties paid (at the time of writing), Slack is a pretty popular bug bounty target. Then again, with an average of $513 per resolved report, it’s easy to see why.
It’s also why you shouldn’t target this program as a beginner.
As stated earlier, popular bug bounty programs are naturally more contested and so it’s difficult for someone with limited experience to get any kind of bounty.
That being said, if you’ve had plenty of practice then Slack’s program can definitely pay off!
- Link: https://hackerone.com/snapchat
- Reward: $250 – $25,000
Snapchat’s program is similar to many others on this list (they don’t reward brute force attempts, most anything that requires physical access, social interactions with staff such as phishing, etc), except theirs specifies the specific areas that they’re most interested in seeing bugs for.
These areas (and the minimum payout for bugs found in these areas) are:
- Server-Side Remote Code Execution (e.g. command injection) – $15,000
- Remote Code Execution on Spectacles – $10,000
- Significant Authentication Bypass / Logic Flaw – $7,500
- Unrestricted File System Access (Server-side or Spectacles) – $5,000
- XSS or XSRF With Significant Security Impact – $2,000
So, if you fancy going for bugs in these categories specifically, Snapchat is worth checking out.
- Link: https://hackerone.com/spotify
- Reward: $250 – $3,000
Aside from having one of the best freemium conversion rates around, Spotify knows how to engage their audience. This includes their bug bounty program, with 387 reports resolved in just over the first two years of the program’s launch.
The main way they do this is by offering month-long promotions in different focus areas. For example, the bounty for June 10th – July 10th, 2019 was bugs affecting their premium accounts.
Reporting a bug in these areas during a promotion will nab you a bonus to your reward, ranging from 1.25x for low severity bugs to 1.5x for critical severity bugs.
Have any tips you’d like to share?
While the term “bug hunting” might conjure an image of some kind of bounty hunter racing others to grab the prize first at any cost, the truth is that the bug hunting community thrives on co-operation.
If it didn’t, new hunters wouldn’t be nearly as likely to stick around.
Saying that, if you take one piece of advice away from this post it would be to join in with the conversation and to share tips, experiences, and advice wherever you can. Everyone benefits from you doing so, and you may even learn something yourself during the conversation.
If you’re looking for more IT processes, check out some of the resources in the list below:
- Privileged Password Management
- Network Administrator Daily Tasks
- Network Security Audit Checklist
- Firewall Audit Checklist
- VPN Configuration
- Apache Server Setup
- Email Server Security
- Penetration Testing
- Inventory Management Process
- Network Security Management
- Client Data Backup Best Practices
- Computer Maintenance Guide
- Server Setup Process
- Virtual Private Server Setup
- IT Support Process
- Helpdesk Management
- Server Maintenance
- Server Security
- Information Security Incident Response
- SQL Server Audit Checklist
Why not start by sharing your experiences (good and bad) with bug hunting in the comments below? I’d love to hear from you.