A bug bounty program is a reward program that inspires you to find and report bugs. The main goal of the program is to identify hidden problems in a particular software or web application. Reporters get paid for finding more bugs to improve performance. There are several giant companies that run bug bounty programs for the betterment of software and websites.
Best Bug Bounty Programs
Generally, companies with high revenue run bug bounty programs to make more profit, enhancing the quality of their product. We have tried to highlight the top 20 bug bounty programs which run around the world by high-end companies.
1. Intel
Intel believes in collaboration to ensure the security of its product. Intel started the bug bounty program to encourage the security officers to research their products to know their faults and solve them as fast as they can. Also, it is open to the general public and accessible for everyone meeting some requirements.
- Intel takes global participation to find vulnerabilities and technical errors in their products and conducts this bug bounty program every year.
- Your age must be 18 years old, and if you are employed, you need to take your companies written approval for being eligible to participate in this program.
- Security researchers can perform any intel products that include a processor, chipset, network devices, SSD, and motherboards.
- You will need to submit a well-written report with all the logistic analytics and proof of concepts.
- Whenever you find a security bug in any intel products, be it hardware, firmware, or software, you can notify Intel through this program and work together to solve the issue.
2. Yahoo
Verizon Media maintains the bug bounty program of yahoo. Security researchers can report via Verizon Media if they find any kind of bug on yahoo. They need to check the policies of Verizon Media before reporting. As yahoo connects people in several fields of modern communication, it needs to be fluent, and so it needs to solve its problems found by the reporters.
Insights of this Program
- You can test vulnerabilities only against your account or against other accounts with the permission of the account holders.
- No researcher is allowed to be in any harmful and prejudicial activity to Verizon Media and its concerns and other users.
- No one is allowed to unwrap the vulnerabilities in public without Verizon Media’s permission.
- While submitting the report, reporters must include their IP address in it.
- Yahoo provides a reward for the reported bugs is up to $15000.
3. Snapchat
Privacy is mandatory for a company to get a positive reaction from its customers. Snapchat is a social site where random people connect themselves. So, the Snapchat authority took responsibility for the security of their users and launched their bug bounty program to solve every problem that can harm the application and the users.
Insights of this Program
- If you want the reward under the bug bounty program, you need to be the first person to report on a specific vulnerability.
- Precise details on a vulnerability and the steps to reconstruct it, and proofs are necessary to understand its riskiness.
- If you want to access their office data and their data center, you won’t qualify for the reward.
- Testing vulnerability is permitted only on personal account and not sighting data which belong to other users.
- The minimum reward they pay to the reporters for the reported bug is $250.
4. Dropbox
Dropbox is a remote server where one can store, manage, and process data rather than a personal computer. This site is a sensitive place because various kinds of personal data of people are stored here. So its security system needs to be high, and very few bugs should be found. Dropbox welcomes the security researchers to report if they find any virus on the application.
- Only a personal account is allowed to test a vulnerability. Being unpermitted, you cannot access or change other’s or the site’s data to examine.
- If you do research that seems interesting to the authority, you will get a bonus reward.
- Reporters who report from XSS will be accepted on subdomains of dropbox.com but won’t get any reward.
- If you violate the policy of the Dropbox bug bounty program, the authority will not set any case against you.
- The minimum value dropbox pay to the researcher for reporting is $216.
5. Facebook Bug Bounty Program
Facebook is the most popular social site. They try to ensure the highest security as most people nowadays use Facebook and share random things sensitive or insensitive through the Facebook bug bounty program. It’s hard to find every bug on their site instantly. So they welcome researchers to find bugs on their website and let them know it valuing some policies.
- Participation is prohibited by the Facebook authority if you communicate with another account without the permission of the owner.
- Facebook reserves the right to publish any report if they need it. All the rules and regulations are maintained strictly by the Facebook bug bounty program.
- Your report must describe one product or service from the list of bug bounty program scope.
- For the bug bounty program, Facebook doesn’t allow access to the user data of the company or any identifiable person.
- Except for the low-risk issues, Facebook pays a minimum reward of $500 to the reporters.
6. Google
Google considers its bug bounty program’s reward as an honor to the reporters for the reports they submitted and helped google to fix it. As they have different sectors to operate various types of fields, they need extra security; that’s why Google values the researchers so much because they can get enough bug reports to solve and make their platform more fluent. A huge volume of data is protected and kept in a safe hand as a part of the google bug bounty program.
- Google allows researchers to report if they find any bug that affects the privacy of their users and the company as well.
- If you can inject malicious codes in a website to integrate user data, you can report it to the google bug bounty program.
- Google does not allow any researcher to target the accounts of other users of it rather than his account.
- Google’s bug bounty program is only for the issues related to its design and its implementation.
- Google offers a minimum of $100 as bounty rewards.
7. Mozilla
Mozilla’s main target is to make the Internet a safer place. To do so, they ought to secure themselves first. If their security is not healthy, the data stored in their data center may be disclosed publicly, which will harmfully impact their site, and people will stop using their websites.
Insights of this Program
- Allows only adult people according to the constitution of a country or the permission of the guardian to participate in the bug bounty program.
- Prefers to use a personal account for security research to avoid unsuspected access and management of data of users or Mozilla.
- Mozilla only allows fresh and unreported bugs in the bug bounty program.
- Prefers only “sec-critical” or “sec-high” and sometimes “sec-moderate” bugs determined by the bounty committee.
- Mozilla Bounty Committee takes the final decision in the bug bounty program evaluating the terrible effect of the bug.
8. Microsoft
Microsoft believes that security investigators have a significant role in the scheme of the Internet. As they find out security issues to make the Internet a safer place, Microsoft bug bounty is where they can submit reports. They also believe that a customer’s security depends on the partnership between the authority of a company and a security researcher. They offer a great incentive as bounty rewards also.
- Prioritizes the submissions containing steps to reproduce the vulnerability, which fastens them to reach the problem and pays a higher reward.
- Microsoft will still offer a reward to researchers if they find a bug that has already been noticed by Microsoft before.
- To secure the customers, Microsoft appreciates researchers inform the authority about any vulnerability before disclosing publicly.
- It prefers researchers not to harm any privacy of neither their users nor their company.
- Microsoft’s minimum bug bounty program reward is $15000.
9. Vimeo
Every company wants a one hundred percent safe, secure, and user-friendly website. The workers work hard to achieve this 100% safety. Vimeo is one of the biggest video platforms where millions of videos are available, and the number is frequently increasing. Vimeo authorities work hard to ensure that the videos on their site are safe and the user accounts are also secure.
Insights of this Program
- Vimeo checks the reports on vulnerability in manifold levels to be ensured the danger of vulnerability.
- In the report, Vimeo prefers the steps of reproducing the reported bug.
- As Vimeo’s basic accounts are free, Vimeo prohibits the researchers not to run a risk to use any other user’s data.
- Vimeo will publicly disclose any vulnerability if the original reporter requests, but the bug must be resolved first.
- Under the bug bounty program, Vimeo rewards a minimum of $500 and a maximum of $5000 for the researcher’s excellence.
10. Twitter
Twitter believes in a community effort. They thank the researchers who serve their valuable time in finding vulnerabilities in Twitter. The researchers intentionally or unintentionally keep Twitter safe. To honor the contribution to safety and security, Twitter rewards the reporters a huge volume of bounty rewards under their bug bounty program.
Insights of this Program
- Twitter counts the first reporter of any vulnerability to give rewards.
- Strictly prohibits any attempt from accessing the data of their users and twitter’s data center for security research purposes.
- Will dismiss a report if they find it violating their rules.
- If a person tries to mimic a user by falsing data to search for bugs, the person won’t be qualified for either the reward program or as a reporter.
- The minimum value Twitter pays for the bug bounty program is $140.
11. Avast Bug Bounty Program
Avast is an antivirus protection for a computer. As it ensures the safety of a virus attacking a network, Avast itself needs to be secure and safe. Avast depends on the security researchers for their safety. To inspire the researchers to research their site and product, Avast runs a bug bounty program where reporters are rewarded with money.
- Accepts bug reports that contain enough details about the bug, steps of reproducing it, and how it is harming.
- Bugs in the latest version of any Avast products are considered for the bug bounty program.
- Avast prioritizes the first reporter if there are two persons to report on the same bug.
- Fixation may take time, depending on the bugs. Researchers will be paid after the fixation of the bug.
- The reward value starts from $400, and it may go higher based on the bugs. The highest rewards are paid for remote code execution bugs, which is $6000 to more than $10000.
12. Paypal
Paypal is a payment gateway system that simplifies the payments between people. Every Paypal account is connected to a credit card that raised the thought of safety and security to the authority. As Paypal works with money and payments, it is more important to make their site safe and secure to keep people’s money safe and make the company reliable to their customers.
Insights of this Program
- The reporter must be older than 14 years old or permission of a guardian to report at the age of 14.
- Details, videos, screenshots, traffic logs, email addresses, IP addresses from which the vulnerability was checked must be included in the report.
- To qualify for the reward program, the reporter must be the first person to report on the bug, maintaining the terms. Also, the PayPal security team needs to determine the vulnerability.
- Participators of the bug bounty program are rewarded with the minimum amount of $50 as bounty rewards.
- After ensuring the vulnerability, partial bounty amount, and after fixing the problem, an additional bounty amount is given to the researcher.
13. Starbucks
Starbucks is an American coffeehouse corporation that is now available in many countries. As it is now a chain corporation, the authority needs to take extra care of its site. Customers are the priority for all companies, and so Starbucks. They don’t want their data or customer’s information to get harmed by any malware.
Insights of this Program
- Intentional harm to the usability, attempt to access and change the user data, unwrapping the vulnerability before the authority prohibits Starbucks checks.
- First reporters to report on any vulnerability are always prioritized, and they are eventually rewarded with bounty rewards.
- Starbucks restricts the participation of any person from their partners in their bug bounty program.
- Prefers the steps of reproduction of the vulnerability in the report.
- The minimum reward for the researchers is $100, and the maximum is up to $4000 depending on the danger of the virus.
14. Shopify
Shopify is an e-commerce website where one can buy and sell any products online. To make the site more fluent for its customers, Shopify needs to know if there is any bug restricting the smooth usage of its website. Shopify rewards the reporters under the bug bounty program, which they call the Whitehat program.
Insights of this Program
- Shopify tries to reach every reporter on one working day and tries to check and sort out the vulnerability within two days.
- Within seven days of fixation of the problem, authority tries to reward the reporters.
- Before solving, revealing the vulnerability publicly is prohibited.
- Interaction with other shops rather than your shop will lead you to be ineligible from the bug bounty program.
- Minimum bounty rewards of their Whitehat program are $500, and it is to motivate researchers.
15. WordPress
WordPress is a website-creating platform or content management system through which millions of websites have been created already, and the number is increasing rapidly. As websites contain a lot of sensitive information that should not be disclosed, so WordPress needs a proper security system as it includes billions of data from various sites. Security researchers help them silently finding the omission on the website.
- The reporter must need to be the first person to report on the bug.
- WordPress takes the comment of reporters if the reported bugs get fixed but not liked by the reporters.
- WordPress welcomes researchers to discuss with the authority if they get confused, thinking if they have found a bug or not.
- WordPress developers confirm the availability of a reported bug and give an opinion about whether it needs to be fixed or not.
16. Zomato Bug Bounty Program
Zomato is a platform created by two Indians where one can search for restaurants and all other information such as the menu, user review, etc., all over India. Zomato welcomes security researchers to research on their website to fluidify their site to the users. Vulnerabilities slowed the site, and users find it irritating to use a slow web application.
Insights of this Program
- Only owned accounts and other accounts with the account holder’s permission can be used for vulnerability checks.
- Rewards are provided according to the level of danger of bugs determined by the security team of Zomato.
- Public disclosure of the vulnerability before the company resolves it will result in disqualification from the bug bounty program.
- The reward Zomato pays to any researcher is up to $2000 and not less than $150.
17. Netflix
Netflix is an entertainment platform that gives enjoyment to people all over the world. Their responsibility to ensure the security of their members and company authorities. They are attached to the security community for the last five years to know about the vulnerabilities on their site and application. They pay a high reward for the contribution of researchers and also to encourage them.
Insights of this Program
- Netflix strictly embargoes the testing if any researcher accidentally enters user data or Netflix’s data.
- Prefers screenshots, videos, or any other necessary files in the report. But submission should be done through bug crowd and not using any other site.
- Researching out of scope will result in disqualification from the bug bounty program.
- For noxious acts on user experience for research purposes, the researcher will be disqualified.
- The minimum reward under their bug bounty program is $200, and for critical bugs, researchers will be paid a $2000 reward and sometimes more.
18. Paytm
Paytm is a payment gateway platform where people can transfer money to one another. As it makes transactions of money, so security must be ensured by the authority. They always keep in touch with the security researchers and appreciate their work on finding bugs on their website, making their site and system more safe and secure. To recognize their contribution, Paytm pays a reward to the researchers for their hard work.
Insights of this Program
- You can only use your account for the research and not use other’s accounts or user data.
- Prefers attribute codes or screenshots in the report of any vulnerability.
- Paytm sometimes provides digital certificates over monetary rewards.
- The minimum reward for the bug bounty program is 1000 INR, which is equivalent to almost $14.
- Paytm will decide when and how they will fix the bug.
19. Coinbase Bug Bounty Program
Coinbase is a platform for exchanging cryptocurrency. Exchange of any currency anywhere needs to be smooth, safe, and secure. This is why Coinbase values the relationship between security researchers and the company. Researchers work real hard to find the virus in a site and let the company know about that. By fixing the bug, companies step up to the next level of modification, and so Coinbase.
- Fraudlentary to the customers for the sake of their own research purpose will result in disqualification.
- Rewards under the bug bounty program are given to the reporters based on the danger of the vulnerability.
- The report should have the step by step process to reach the vulnerability. This way is more comfortable for the security team to fix the bug.
- The minimum award is $200, and the maximum award is $50000 paid by Coinbase to the reporters.
20. Grab
Grab is a ride-sharing web application through which people can hire a car for their transportation. A ride-sharing web application contains many user data that should not be disclosed. It may cause harm to the users of the web application. Grab has the faith that there are security researchers who may help them find out the bugs on their website. Grab rewards them for their contribution.
Insights of this Program
- Reporters need to be the first person to report on a particular vulnerability.
- The description, along with steps of reproducing the virus, is necessary to submit a report. There should be a screenshot and attribute code in the report if available.
- Grab pays reward according to the danger level of the vulnerability, which is determined in their reward meeting.
- If there is one report on a single vulnerability but can be fixed multiple vulnerability system when fixing the reported one, Grab counts it as one vulnerability.
- Pays up to $10000 and not less than $200 for a single bug in the bug bounty program.
Finally, Insights
To keep the Internet a safe place, the bug bounty program is helpful. To participate in any bug bounty program, one should always keep in mind that they need to be the first to find a specific vulnerability and report it to the company following the policies of the company. Violation is never considered; it is strictly prohibited. And companies should not make fraudulent about the reward program. Because reward programs always encourage people and motivate them to work with spirit. The more faith increases, the safer the Internet becomes.