Two years after the launch of the "No More Free Bugs" philosophy, several companies and Open Source projects are now offering programs designed to encourage security research in their products. In addition, many private firms are publicly offering vulnerability acquisition programs.
This post is an attempt to catalog all public and active incentives. This includes traditional "Bug Bounty Programs" as well as "Vulnerability/Exploit Acquisition Programs".
Update (19 Oct 2013): A new website http://www.bugsheet.com/bug-bounties has started collecting bug bounties and disclosure programs. I do recognize that an actual website is better than a single blog post, thus I've discontinued this list.
Bug Bounty Programs
Sponsor | Target | Reward |
| AT&T | Security vulnerabilities found within the AT&T API Platform | $100-$5,000, plus merchandize (e.g. LTE data cards, phones with free service) |
| Avast | Security vulnerabilities in the latest consumer Windows versions of Avast | $200-$5,000 |
| Barracuda | Vulnerabilities in Barracuda appliances, including Spam/Virus Firewall, Web Filter, WAF, NG Firewall | $500-$3,133.7 |
| BugCrowd | Crowdsourced security testing. BugCrowd manages bug bounty programs for third-party companies | Starting from $250 |
| BugWolf | Marketplace for bug bounty hunters. BugWolf manages bug bounty programs for third-party companies | Starting from $500 |
| Coinbase | Previously unknown security vulnerabilities in Coinbase's web platform | Starting from 5 BTC |
| Cryptocat | XSS bugs, crypto implementation bugs, arbitrary code execution in Cryptocat's code | $n/a |
| Djbdns | Verifiable security holes in the latest version of Djbdns | $1000 |
| Etsy | Web application vulnerabilities affecting the main www.etsy.com site, the etsy.com API, or the official Etsy mobile application | Starting from $500 |
| Facebook web platform security bugs. No third-party applications | Starting from $500 | |
| Future of Enforcement | Web vulnerabilities in Future of Enforcement's website | €100 |
| Gallery | Security issues in the latest stable release of the popular web based photo album organizer | $100-$1000 |
| Chromium browser project, Chrome OS and selected Google web properties bugs | $500-$20,000 | |
| IntegraXor HMI/SCADA | Security vulnerabilities in IGX SCADA systems with verifiable proof-of-concepts | Up to 8K I/O points (~$3999) |
| Hex-Rays | Security bugs in the latest public release of Hex-Rays IDA | Up to $3000 |
| Kaneva | High impact web application vulnerabilities | $100 |
| Mega | Web application vulnerabilities and crypto bugs affecting MEGA's online systems | Up to €10000 |
| Meraki | All web content under *.meraki.com, Meraki-operated web properties, systems manager client applications and Meraki hardware devices | $100-$2500 |
| Mozilla | Firefox, Thunderbird and selected Mozilla Internet-facing websites bugs | $500-$3000, plus Mozilla T-shirt |
| Nokia | Vulnerabilities in all Nokia run services, applications and products excluding corporate infrastructure | $n/a |
| PayPal | Web application vulnerabilities in www.paypal.com | $n/a |
| Piwik | Flaws in Piwik web analytics software | $200-$500 |
| Qmail | Verifiable security holes in the latest version of Qmail | $5000 |
| Ripple | Security issues in Ripple, an OpenSource person to person payment network | Up to $10000 |
| Samsung | Security bugs in Samsung TV/BD | Starting from $500 |
| Tarsnap | Tarsnap bugs, affecting either pre-release or released versions | $1-$2000 |
| Yandex | Security vulnerabilities in Yandex's services or mobile applications, as specified on the terms and conditions page | $100-$1000 |
Vulnerability/Exploit Acquisition Programs
Sponsor
|
Target
|
Reward
|
| BeyondSecurity SecuriTeam | High and medium impact bugs in widely spread software | $n/a |
| Coseinc | Unpublished security vulnerabilities for Windows, Linux and Solaris | $n/a |
| Exodus Intelligence Program | Vulnerability research acquisition program for unknown vulnerabilities affecting widely deployed software packages | $n/a plus yearly bonuses |
| ExploitHub | Legitimate market-place for non-zero-day exploits | $50-$1000. Both one-time purchase payments as well as recurring monthly payments from site-license customers |
| iSight Partners | Bugs in typical corporate environment applications | $n/a |
| Netragard | 0-day exploits against well-known software | $n/a |
| Packet Storm | Exploits for 0-day and 1-day vulnerabilities in enterprise-grade software (Microsoft, Flash, Java, etc.) | $1000-$7000 |
| TippingPoint ZDI | Undisclosed vulnerability research, affecting widely deployed software | $n/a plus awards and benefits, depending on the contributor's status |
| VeriSign iDefence | Security vulnerabilities in widely deployed applications | $n/a |
| White Fir Design | Bugs in WordPress code and plugins (with over 1 million downloads and compatible with the most recent WordPress) | $50-$500 |
Contributions are welcome! If you are aware of an initiative not listed here or you want to report an inaccuracy in your initiative, please leave a comment and we will update this page over time. In fact, the more people, the better.
Just to clarify, we aim at indexing programs that are:
- Legal. Although black/gray market places exist, we don't certainly want to list them here
- Active. We want to keep track of ongoing initiatives. Even time-limited programs are eligible, as long as they are still accepting submissions
- Public. All entries must have publicly available details. This may range from accurate guidelines and rules to just a simple sentence stating the nature of the incentive. It hence follows that we are going to report public information only. In case of cash rewards, the actual amount is reported whenever the min-max price paid is clearly stated
- Reward-based. In most cases, entries are "cash-for-bugs" programs. However, any kind of tangible reward is eligible. "No More Free Bugs" versus "No More Cheap Bugs" disputes are not considered here