Bug Bounty Programs in 2018 – Top 15

A bug bounty program, also called a vulnerability rewards program (VRP), is a crowdsourcing initiative that rewards individuals for discovering and reporting software bugs. Bug bounty programs are often initiated to supplement internal code audits and penetration tests as part of an organization’s vulnerability management strategy.

Many software vendors and websites run bug bounty programs, paying out cash rewards to software security researchers and white hat hackers who report software vulnerabilities that have the potential to be exploited. Bug reports must document enough information for for the organization offering the bounty to be able to reproduce the vulnerability. Typically, payment amounts are commensurate with the size of the organization, the difficulty in hacking the system and how much impact on users a bug might have.

Here is a selected list of Bounty Programs by reputable companies

  • Intel

Intel’s bounty program mainly targets the company’s hardware, firmware, and software.

Limitations: It does not include recent acquisitions, the company’s web infrastructure, third-party products, or anything relating to McAfee.

Minimum Payout: Intel offers a minimum amount of $500 for finding bugs in their system.

Maximum Payout: The Company pays $30,000 maximum for detecting critical bugs.

Bounty Link: https://security-center.intel.com/BugBountyProgram.aspx


  • Yahoo

Yahoo has its dedicated team that accepts vulnerability reports from security researchers and ethical hackers.

Limitations: The Company does not offer any reward for finding bugs in yahoo.net, Yahoo 7 Yahoo Japan, Onwander and Yahoo operated Word press blogs.

Minimum Payout: There is no set limit on Yahoo for minimum payout.

Maximum Payout: Yahoo can pay $15000 for detecting important bugs in their system.

Bounty Link:https://safety.yahoo.com/Security/REPORTING-ISSUES.html


  • Snapchat

Snapchat security team reviews all vulnerability reports and acts upon them by responsible disclosure. The company, we will acknowledge your submission within 30 days.

Minimum Payout: Snapchat will pay minimum $2000.

Maximum Payout: Maximum they will pay is $15,000.

Bounty Link:https://support.snapchat.com/en-US/i-need-help


  • Cisco

Cisco encourages individuals or organization that are experiencing a product security issue to report them to the company.

Minimum Payout: Cisco’s minimum payout amount is $100.

Maximum Payout: Company will give maximum $2,500 to finding serious vulnerabilities.

Bounty Link: https://www.cisco.com/c/en/us/about/security-center/security-vulnerability-policy.html


  • Dropbox

Dropbox bounty program allows security researchers to report bugs and vulnerabilities on the third party service HackerOne.

Minimum Payout: The minimum amount paid is $12,167.

Maximum Payout: The maximum amount offered is $32,768.

Bounty Link: https://www.dropbox.com/help/security/report-vulnerability


  • Apple

When Apple first launched its bug bounty program it allowed just 24 security researchers. The framework then expanded to include more bug bounty hunters.

The company will pay $100,000 to those who can extract data protected by Apple’s Secure Enclave technology.

Minimum Payout: There is no limited amount fixed by Apple Inc.

Maximum payout: The highest bounty given by Apple is $200,000 for security issues affecting its firmware.

Bounty Link: https://support.apple.com/en-au/HT201220


  • Facebook

Under Facebook’s bug bounty program users can report a security issue on Facebook, Instagram, Atlas, WhatsApp, etc.

Limitations: There are a few security issues that the social networking platform considers out-of-bounds.

Minimum Payout: Facebook will pay a minimum of $500 for a disclosed vulnerability.

Maximum Payout: There is no upper limit fixed by Facebook for the Payout.

Bounty Link: https://www.facebook.com/whitehat/


  • Google

Every content in google.com, blogger, youtube.com are open for Google’s vulnerability rewards program.

Limitations: This bounty program only covers design and implementation issues.

Minimum Payout: Google will pay minimum $300 for finding security threads.

Maximum Payout: Google will pay the highest bounty of $31.337 for normal Google applications.

Bounty Link: https://www.google.com/about/appsecurity/reward-program/


  • Quora

Quora offers Bug Bounty program to all users and researchers to find and report security vulnerabilities.

Minimum Payout: Quora will pay minimum $100 for finding vulnerabilities on their site.

Maximum Payout: Maximum payout offered by this site is $7000.

Bounty Link: https://engineering.quora.com/Security-Bug-Bounty-Program


  • Mozilla

Mozilla rewards for vulnerability discoveries by ethical hackers and security researchers.

Limitations: The bounty is offered only for bugs in Mozilla services, such as Firefox, Thunderbird and other related applications and services.

Minimum Payout: Minium amount given by Firefox is $500.

Maximum Payout: The Company is paying a maximum of $5000.

Bounty Link: https://www.mozilla.org/en-US/security/bug-bounty/


  • Microsoft

Microsoft’s current bug bounty program was officially launched on 23rd September 2014 and deals only with Online Services.

Limitations: The bounty reward is only given for the critical and important vulnerabilities.

Minimum Payout: Microsoft ready to pay $15,000 for finding critical bugs.

Maximum Payout: Maximum amount can be $250,000.

Bounty Link: https://technet.microsoft.com/en-us/library/dn425036.aspx


  • OpenSSL

OpenSSL bounty allows you to report vulnerabilities using secure email (PGP Key). You can also report vulnerabilities to the OpenSSL Management Committee.

Minimum Payout: The Company pays minimum bounty rewards of $500.

Maximum Payout: The highest amount given by the company is $5000.

Bounty Link: https://www.openssl.org/news/vulnerabilities.html


  • Vimeo

Vimeo welcomes any security vulnerability reporting in their products as the company pays good rewards to that person.

Minimum payout: The Company will pay minimum $500

Maximum Payout: The maximum amount paid by this company is $5000.

Bounty Link: https://vimeo.com/about/security


  • Apache

Apache encourages ethical hackers to report security vulnerabilities to one of their private security mailing lists.

Minimum payout: The minimum pay out amount given by Apache is $500.

Maximum Payout: This Company can maximum give a reward of $3000.

Bounty Link: https://www.apache.org/security/


  • Twitter

Twitter allows security researchers and experts about possible security vulnerabilities in their services. The company encourages people to find bugs.

Minimum Payout: Twitter is paying minimum $140 amount.

Maximum Payout: Maximum amount pay by the company is $15000.

Bounty Link: https://support.twitter.com/articles/477159



Tell us what u think about this top 15 Bug Bounty Programs in 2018 we highlighted for you above in the comment box.

Be the first to comment

Leave a Reply

Your email address will not be published.