It was presented as a program that rewards users who help Netscape find and report bugs in the beta versions of Netscape Navigator 2.0., and the concept of bug bounty programs remains almost the same to this day. Though there must be something in that simplicity that has made bug bounty programs rocket in popularity over the past few years.
Rising popularity of bug bounty programs
Two decades after Netscape’s effort and amid growing privacy and security concerns, bug bounty programs are commended as an effective way for organizations to prevent cyber criminals from exploiting bugs in their applications. And the enticing appeal of financial rewards, fame and recognition is a draw for researchers, hobbyists, full-time hunters and newbies alike. As an opportunity to earn side income, showcase skills for job hunting, and gain real-world experience, bug bounty programs offer something for everyone.
Tech giants such as Facebook, Google, Microsoft and Apple are at the forefront, but they’re not the only ones tapping into crowd-powered security. Today, bug bounty programs range greatly in scope and size and span many industries, not just technology, and even include government agencies. With such growing popularity, participating security researchers have high chances of earnings and recognition in the community and even making it to the mainstream media.
COVID-19 has truly changed the digital security landscape and there have also been palpable changes in the bug bounty sphere. As reported by HackerOne, researchers on their platform earned a record $40 million in 2020. Other bug bounty platforms also report a dramatic increase in bug submissions during the previous year.
Bug bounty platforms
When it comes to bug bounty programs, organizations can set up their own from scratch and manage them internally, with bugs being submitted to them directly. There are also third-party bug bounty platforms that provide the infrastructure for organizations to set up programs while providing researchers with a clear and managed way to submit vulnerabilities and get rewarded. Among the most prominent bug bounty platforms in 2021, some well-established, some fresh in the field, and listed in no particular order, we have:
Intigriti is Europe’s number-one bug bounty platform and one of the leading crowdsourced security companies. Experiencing tremendous growth in popularity recently, Intigriti connects a network of over 30,000 researchers with organizations across the world, resulting in more than 200 active programs at the time of this writing. Embracing the power of crowd, Intigriti provides an open and educational environment for researchers and beginners with their newsletters, articles, write-ups and POCs. An amazing and welcoming community of researchers is what sets Intigriti apart and will only launch them further as a prominent bug bounty platform to watch.
To learn more about Intigriti’s philosophy, how they came to be, the secrets behind their amazing community-building efforts and other interesting company tidbits, check out our interview with their CEO Stijn Jans and Head of Hackers Inti De Ceauklere.
Bugcrowd is one of the first companies to embrace crowdsourced security as their business model. Founded in 2011, it’s also one of the longest-standing bug bounty platforms, as well as one of the most popular, being a highly recognizable name in the community. Bugcrowd has a unique model that combines a traditional pentest with next-gen crowdsourced bug bounty programs, leading the way as one of the most innovative bug bounty platforms out there.
Most of the bug bounty programs on Bugcrowd are managed by their own team of experts, meaning bugs are triaged and validated quickly, which is only one aspect of the platform that attracts top talent. For their “crowd”, Bugcrowd carefully curates and vets security researchers from all over the world and puts them in front of top companies looking to assess their security posture. Not only do their researchers have the opportunity to work on systems of some of the world’s largest companies, they also get to be a part of Bugcrowd’s active and vibrant community.
HackerOne has been one of the largest and most popular bug bounty platforms in use for several years now. Popular with both researchers and companies, it boasts a community of over 600,000 ethical hackers and a clientele consisting of many Fortune 500 companies, including several US government agencies. With over 1,700 programs coming from the likes of Google, PayPal, Hyatt, Twitter, GitHub, Nintendo, Microsoft, Starbucks, Dropbox and Intel, over $80 million has been awarded in bounties over HackerOne.
Their widely-known live-hacking events around the world and their support for the open source community with HackerOne Community Edition (which offers a free version of their bounty program to open source projects) make them a respected brand and a true face of bug bounty hunting.
YesWeHack is a European bug bounty and vulnerability disclosure platform. Putting their focus on strict privacy and data regulations and protection, YesWeHack has seen impressive growth throughout 2020, empowering many European startups and larger organizations. Some of the more notable programs on YesWeHack are OVH, Dailymotion, BlaBlaCar and Qwant. Their rank system and effective assessment of researchers on the platform ensures the best talent is there to help organizations protect their valuable assets.
Recently, they launched the YesWeHack DOJO platform, which is a training program featuring beginner courses and challenges. There’s also the Playground, with its weekly challenges and contests focused on targeting specific vulnerabilities and awarding winners with goodies.
Now for the youngest and most unique bug bounty platform on our list, Huntr by 418sec. Open source projects are vulnerable, and the growing dependency on open source code means that vulnerability needs to be addressed. That’s why Huntr was launched in early 2020, as a bug bounty board for securing open source code where users can find and fix vulnerabilities and be rewarded for it. They work with organizations on open source projects they depend on, vulnerabilities are turned into bounties and shared with the community to resolve the issues.
As a very young project, Huntr is still on its way toward gaining widespread recognition, but it has already caught the eye of the bug bounty community—and should definitely be on your radar in 2021.
The most popular bug bounty programs
To help you sharpen your skills, challenge yourself and even earn something, take a look at our curated list of the best and most popular bug bounty programs of 2021:
Running since 2017, Intel’s bug bounty program targets their hardware (microprocessors, chipsets, memory, SSD), firmware (BIOS, motherboard) and software (applications, tools, drivers). What’s out of scope though are Intel’s web infrastructure, such as websites owned and/or operated by Intel, their freeware applications, open source projects and anything related to Intel’s former subsidiaries (such as McAfee and Wind River). Intel’s bug bounty rewards range from $500 to $100,000. A newer program, Intel’s bug bounty is worth watching out for after the company paid more than $1 million in bounties in 2019 and 2020.
As befits one of tech’s true giants, the rewards and payouts on Microsoft’s bug bounty program are… giant. Microsoft targets several different areas so it offers cloud programs with a bounty range of $15,000 - $100,000, platform programs that include the highest offered bounty of up to $250,000 (for critical vulnerabilities in Hyper-V), and defense and grant programs with bounties ranging from $75,000 to $100,000. While each program is unique in scope, some submissions are generally not eligible for Microsoft bounty awards, such as reports with only automated scans and tools, social engineering and physical attacks. Competitive, yes, but the lucrative rewards will probably keep Microsoft bounty program’s popularity in 2021.
Having attracted hundreds of researchers, GitHub’s bug bounty program has been around since 2013. The targets of this program are core GitHub services, GitHub Enterprise Server and Enterprise Cloud, first-party clients for accessing GitHub, infrastructure owned and operated by GitHub, and other GitHub services such as Education, Learning Lab, Jobs, and LGTM. Researchers can expect to receive awards in the range of $617 for low severity issues and up to $30,000+ for critical severity issues. Besides giving researchers money, they are making it fun with earning points for each vulnerability, with researchers with the most points featured on the leaderboard.
PayPal is a very recent bug bounty program on HackerOne, launching in 2018 but quickly becoming one of the most popular and active programs on the platform. With more than $5 million paid out in bounties and 868 reports submitted in the first three months of 2021, PayPal’s program should be on your radar if it isn’t already. Besides PayPal itself, in its scope are Venmo, Xoom, Braintree Payments and Hyperwallet. Some of the out-of-scope vulnerabilities for web applications are man-in-the-middle attacks, social engineering, DOS, and infrastructure vulnerabilities, such as SSL certificates, DNS configuration and server configuration issues. Minimum payout on PayPal’s bounty program is $50 and the maximum is $20,000 for critical issues.
Snapchat is a straightforward bug bounty program as they clearly state what they are interested in the most. If you want to go hunting for these specific vulnerabilities, Snapchat’s program is a great option, with a reward range starting at a minimum of $500 going all the way to $250,000 as their highest awarded bounty. The vulnerabilities they’re specifically interested in are server-side remote code execution, remote code execution on spectacles, significant authentication bypass/logic flaw, unrestricted file system access (server-side or spectacles) and XSS or XSRF with significant security impact.
Shopify’s Whitehat program places focus on supporting the community and rewarding security researchers for discovering vulnerabilities in their core application. They claim that their team will reply to all reports within one business day and triage within two business days, and that a valid bounty report will be paid out within seven days of triage. Sounds interesting? In Shopify’s program you can hunt for vulnerabilities in Shopify Core, which includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. An interesting bit from their out-of-scope domains is spotify.com and the fact that they had to underline that they are not Spotify, but Shopify.
In 2020, GitLab celebrated their first million dollars paid in bounties over their program at HackerOne. Now, they’re already at $1.5 million. The code hosting platform’s bug bounty program went live on the H1 platform in 2018 but has risen in popularity quickly; in 2020 alone, GitLab received 1,070 reports from 505 security researchers. What makes them so popular is their involvement in the program and engagement with the community via their monthly program reports, shoutouts to the month’s high earners and critical bug contributors, and the very well-loved swag awards featured in their numerous hacking contests. GitLab also has one of the fastest response times credited to HackerOne’s programs, responding to researchers and their bug reports within an hour. In scope are all GitLab products unless explicitly stated otherwise. Out of scope, among others, are the standard social engineering, MiTM, and automated scanning. Bounty rewards start from $50 for low severity issues and climb up all the way to $20,000 for critical bugs.
Year after year, Google outdoes themselves with the amount paid in their bounties. In 2020, they paid more than $6.7 million in bug bounty rewards to 662 researchers for submitting vulnerability reports for Google products. They’ve also been in the game for a while, running their Google Vulnerability Reward Program since 2010. Their minimum payout starts at $100 and the maximum of $31,337 is rewarded for remote code execution vulnerabilities in applications that permit taking over a Google account, other sensitive applications or normal Google applications. Google also offers numerous other bug bounty programs, with Chrome and Android VRP accounting for their most popular programs in 2020. And as an educational resource, Google’s Bug Hunter University was created by their Security Team for members of their hunter community, and provides vulnerability reports and valuable knowledge for beginning bug bounty hunters.
Verizon Media tops HackerOne’s list of the most active and successful programs hosted on their platform, with more than $20 million in bounties paid since the program’s start in 2014. It also leads statistics on the most bug reports resolved, currently standing at over 9,000. The top bounties offered by Verizon Media’s bug bounty program range from $6,000 to $40,000 for bugs such as buffer overflow, remote code execution, XXE, code injection and SQL injection, among other high and critical severity bugs. Low criticality bugs such as confidential information exposure, subdomain takeover and CSS injection, can get you bounties ranging from $100 to $500.
Mentioning Uber’s bug bounty program wouldn’t be complete without looking back at the controversial alleged cover-up of an extortion, which was made to look like a bug bounty reward. It made all the news back in 2017, and while Uber came under scrutiny for it, their bug bounty program continues to attract researchers tasked with finding vulnerabilities that could put the data of their users and employees at risk. An active program, Uber has paid more than $2 million in bounties since its start in 2014. They use a hybrid model of rewards where the $500 minimum bounty is paid at time of triage, and the remainder of the bounty is paid at resolution. The top bounty range is from $4,000 to $50,000. Out of scope in Uber’s program are fraud reports, vulnerabilities related to their acquired companies, divested companies, most social engineering and numerous vulnerabilities with negligible security impact. They have, however, updated their program after the extortion fiasco and urge researchers to act in good faith when investigating and reporting vulnerabilities.
Honorable mention: The U.S. Department of Defense’s Defense Digital Service (DDS)
The U.S. Department of Defense’s Defense Digital Service (DDS) paired up with HackerOne in 2016 to present the Hack the Pentagon bug bounty pilot program, which exceeded all expectations. And how could it not? Security researchers got the chance to work on uncovering vulnerabilities within the Defense Department’s own public-facing websites. DDS has since launched more federal bug bounty programs including Hack the Army, Hack the Air Force, Hack the Air Force 2.0, Hack the Defense Travel System, Hack the Army 2.0, Hack the Air Force 3.0, Hack the Air Force 4.0, Hack the Proxy and Hack the Marine Corps. In January 2021, Hack the Army 3.0 was launched, giving participating researchers the goal of uncovering security vulnerabilities in computer systems used by the military. The program, however, was finished on February 17, 2021, which is why we share it here as an “honorable mention”—but we can only anticipate what 2022 will bring, and what part of the U.S. Department of Defense the community will hack with any new programs.
Gain a competitive edge when hunting
Perform full domain and subdomain enumeration in literally seconds, unveil all hosts behind any target, and instantly discover every associated domain of any organization. It’s never been easier to cross-relate domain data for bug bounty hunting—because not only does our comprehensive Bug Bounty Hunter’s Toolkit give bug bounty hunters an epic edge with powerful data resources, it’s also being offered at an amazing 50% discount. This special promotional price will be available until the end of Bug Bounty Hunting Month, on April 15.
Don’t miss out on grabbing your toolkit. Gain your own competitive advantage when submitting reports to bug bounty programs!