At recent OWASP meeting in San Francisco, bug bounties caused far and away the most spirited discussion. Speaker Craig Steipp, who is head of security at WikiMedia, spoke heavily in favor of them. Yet several audience members spoke against them or offered tepid support.
Side stepping that debate, who started them? Who runs them? Who doesn’t? And what’s the largest out there?
According to Wikipedia, Jarrett Ridlinghafer started the first such thing in 1995 as a technical support engineer at Netscape Communications. The SVP of Engineering reportedly was the only person against funding the internal program. But he was outvoted and the company went with it. Others followed suit.
Bugcrowd, which facilitates a community-approach to security, keeps a running list of bounty programs sent in by its community of users. It can be sort based on four categories: New, Reward, Swag and Hall of Fame. (There’s no description of Hall of Fame so define that as you wish.) They even offer a weekly email for people who want to stay on top of the game.
HackerOne, which runs programs for Twitter and other big names, is a good resource for finding out which companies not only offer bounties, but contribute to open-source projects that help bounty programs.
The programs aren’t limited to tech companies either. Somewhat surprisingly, United Airlines is the fourth ranking result for a Google search of ‘bug bounties’. They’ll pay up to 1,000,000 frequent flier miles for serious flaws.
There’s no quick-and-easy list of amounts, but that’s not surprising given the subjective nature of what might be discovered and the perceived value. Security firm Netraguard told Forbes in 2010 that it would pay hackers up to $115,000 for an Apple vulnerability.
welivesecurity published a story in 2015 showing a list of the highest bounties they could uncover. Although it says Facebook paid more than $1M in total bounties for 2014, Microsoft’s $200,000 payment is the highest one-time reward on there.
The New York Times recently put together a nice list of companies that pay, how much (Google will do up to $100,000 for a Chromebook bug)
If we missed your bug bounty program or you’re aware any that are noteworthy feel free to send them to add to the list.