Penetration testing

Top 6 bug bounty programs for cybersecurity professionals

Graeme Messina
January 19, 2022 by
Graeme Messina

Software is a massive industry worldwide, and organizations spend billions of dollars a year to make sure that they have the latest and greatest solutions. This means that software companies have to ensure that their products are safe and secure to use. Companies only have a finite set of resources to direct towards vulnerability research and bug hunting, and extra help is needed. 

To accomplish this, some organizations have implemented bug bounty programs. These secure portals allow security researchers to submit vulnerabilities when discovered. Each bug bounty initiative is unique, and each one offers its rewards for finding a security issue. 

Bug bounty aggregators have become a popular choice for companies and cybersecurity researchers alike. They provide a central location with multiple companies and bugs available. This saves a lot of manual work trying to discover bugs and correspond with the company you are trying to assist with.

Earn two pentesting certifications at once!

Earn two pentesting certifications at once!

Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.

How do bug bounty programs work?

You need to understand how bug bounty programs work before applying for one. In general, bug bounty programs operate differently across companies, but they follow roughly the same flow.

Companies will announce that they are running bug bounty programs centered around a certain software product or group of products. Additionally, sometimes they will discuss the program's goals and its scope.

The program may exclude certain bugs, so you won't get rewarded for finding bugs outside of those specified. Depending on its significance, you might be able to submit the bug via a separate company channel if it poses enough risk. 

You will be rewarded for specific software vulnerabilities; for instance, the company may want you to test logging into the system, elevating permissions within the application, or any other areas requiring testing.

Depending on the vulnerability found, rewards may differ in financial value. Other terms will be outlined. As part of the bug bounty program, you will be shown how to report the flaws that you find. Templates are usually provided to entrants. These are formatted in an order that makes it easier for the company to read all of the reported bugs that they receive. 

Examples of Bug Bounty companies 

1. Bugcrowd

Bugcrowd fancies itself as a tool that helps security researchers find vulnerabilities that other security tools often miss. They can do this by using a series of teams that are matched with projects according to their skills, experience and availability.  

As a security researcher keen to find paying gigs, you can find a signup page here. Unfortunately, there is no information about the average amounts that Bugcrowd pays on the site, but this blog post covers many of the FAQs about payments.

2. Yes We Hack

Yes We Hack is another bug bounty program that you can use to find bugs. They have a novel approach of rewarding those who submit good reports, helping other hackers learn how to find flaws within products and applications. Yes, We Hack has an extensive list of software applications that are part of its bug bounty program, and the company will apply your name to any bugs that are found.

A lot of the content on their blog is dedicated to getting started with their program and finding vulnerabilities. Some of their conditions are that a security researcher who finds a vulnerability must be the first to report it, and they should do so through this we You can also sign up and find a list of the bounties available on their site. 

You'll need clear evidence of your findings (screenshots or code) along with instructions for reproducing them to qualify for a bounty.

3. Open Bug Bounty

Security researchers can find vulnerabilities independently and then report the issue to Open Bug Bounty. They will then contact the compromised resource owner and then facilitate a conversation between parties. From there, the security researcher will deal directly with the site or application owner.

The owner of the compromised resource may show their gratitude to the security researcher in any way they see fit, which is optional. This means that they are not obligated to pay or even thank you for your work— although positive communications are encouraged by Open Bug Bounty. If you would like to check out more details about this project, you can find their brochure here.

Companies that offer Bug Bounty programs

Three of the biggest tech companies in the world also offer bug bounty programs: Google, Microsoft and Apple. These represent a good starting ground for those looking to get started with security research and bug hunting.

4. Apple

Apple offers a bug bounty program called the Security Bounty Program. It outlines five different categories of vulnerabilities, with different values assigned to each depending on its severity to the user and Apple.

iCloud vulnerabilities start at $100,000, and network attacks without user interaction can fetch a cool $1,000,000. The list of security bounties are:

  • iCloud
  • Device attack via physical access
  • Device attack via user-installed apps
  • Network attack with user interaction
  • Network attack without user interaction

Bounty payments are determined by how much access or execution is gained in the exploit. If someone finds an issue, they get paid according to what level of risk the vulnerability exposes. The level of detail in your submitted report will also change how much you get paid for your discovery.

All security reports with a major impact on users will be looked at for bounty payments even if they are not in one listed category. Bounty payments are decided by Apple and can be for any amount that Apple decides on itself.

5. Microsoft

Microsoft is another prominent company that runs a bug bounty program. Microsoft has categorized its bug bounty offerings by platform. This includes:

  • Cloud programs
  • Platform programs
  • Defense and grant programs

The bounties on offer are quite substantial, starting at $15,000 for lesser security flaws in Microsoft.NET and ElectionGuard, and $250,000 for Hyper-V remote execution bugs.

If your research doesn't qualify for a bounty, there is a consolation prize: Microsoft acknowledges all research in their Researcher Recognition Program which can be found here

6. Google

Google has a program to reward people who find problems with their websites. The program started in November 2010, and any Google-owned or Alphabet (Bet) subsidiary service that handles sensitive user data is in the scope. it covers the following Google properties:

  • *
  • *
  • *
  • *
  • *
  • *

The Google range of bounties is a bit more modest than Apple or Microsoft's, with some starting as low as $100, and they go as high as $31,337. A complete list of vulnerabilities that they look for include:

  • Cross-site scripting
  • Cross-site request forgery
  • Mixed-content scripts
  • Authentication or authorization flaws
  • Server-side code execution bugs

For a vulnerability to qualify, it needs to be submitted with an attack plan, so discovering a potential problem is not enough to get a reward. You need to know how to exploit the vulnerability. This also means you cannot submit a vulnerability if there are limitations to what can be done with it. As described before, the scope is only Google sites or services that handle user data.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Using the right bug bounty program

Finding the right bounty program for your skill level and experience has never been easier. Companies and organizations offer you an official channel to conduct your research, making things even more accessible.

The examples in the article have outlined the different companies and what you can do to find out what kind of bounty might be right for you. The next step is up to you. Start your research today!



Graeme Messina
Graeme Messina

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.