Bug Bounty Programs

There are several companies offering "bug bounties" -- payments to people to find security bugs and report them responsibly.

I will update this page with links to the various bug bounty programs as I become aware of them. If you know of a program that is not linked here (or if something below becomes stale) please leave a comment below or send me a note. The notes below are a summary -- read the fine print in each program.

In no particular order:

  • Mozilla offers $500 to $3000 (plus a t-shirt!) for serious security bugs in Firefox, Thunderbird, or certain Mozilla web apps.
  • Facebook offers a "typical bounty" of $500 for responsible disclosure of security bugs (XSS, CSRF, injection, etc) on Facebook, not including third party applications.
  • Tarsnap, an open-source encrypted online backup service, pays a sliding scale of $1 for spelling errors in code comments to $1000 for "a bug which allows someone intercepting Tarsnap traffic to decrypt Tarsnap users' data".
  • Google's vulnerability reward program pays a base of $500, up to $3133.7, for "any serious bug which directly affects the confidentiality or integrity of user data" (e.g. XSS, CSRF, authentication, etc) on Google properties (youtube, orkut, *.google.com, etc).
  • Chromium has a vulnerability rewards program (sponsored by Google, of course) that pays a base of $500, up to $3133.7, for "High and Critical impact bugs".
  • Barracuda Networks has a Security Bug Bounty Program that pays $500 to $3133.70 for bugs "that compromise confidentiality, availability, integrity or authentication" in certain Barracuda products.
  • Piwik pays $500 for critical security bugs, and $200 for non-critical bugs.
  • Artifex has a bug bounty program for ghostscript that does not appear to pay for reports, but does pay $1000 for patches that fix bugs in their tracker flagged P1 or P2 and "bountiable". They pay $500 for lower priority bug fixes.
  • One of the oldest programs I'm aware of is Donald Knuth's offer of $2.56 for reporting errors in his publications. (Note that he's no longer sending out checks due to problems with check fraud. Here, the intrinsic reward is worth more than the money anyway.)
  • Hex-Rays pays $3000 for security bugs in the IDA or decompiler.
  • White Fir Design has a Wordpress bug bounty that pays a sliding scale, from $50 for privilege escalation to $500 for remote execution of arbitrary PHP or malicious file injection in Wordpress, and $50-$250 for bugs in plugins with one million downloads.
  • White Fir Design has a Drupal bug bounty that pays the same sliding scale as their Wordpress program ($50-500 for Drupal core code, $50-250 for contributed modules).
  • TippingPoint's Zero Day Initiative pays reports of vulnerabilities in third party products. Whether they pay depends on how widely deployed the product is, and the severity of the vulnerability. Their program is designed to reward repeat vulnerability reporters. (E.g. if you report 10 bugs worth $1000 each, you get a $1000 bonus and 10% bonus on all subsequent reports for a year.)
  • Harry Tenant and Associates pays $5 for bugs reported in School Site Manager.
  • Ricebridge offers $15 per bug reported in any of their products.
  • Microsoft is running a BlueHat Prize Contest from 2011-08-03 to 2012-04-01. It's a contest, not a bounty, and only two entrants will receive cash: $200k and $50k for first and second place, respectively.
Posted on 2011-11-17 by brian in misc .
Comments on this post are closed. If you have something to share, please send me email.