"No More Free Bugs" Initiatives

Two years after the launch of the "No More Free Bugs" philosophy, several companies and Open Source projects are now offering programs designed to encourage security research in their products. In addition, many private firms are publicly offering vulnerability acquisition programs.


This post is an attempt to catalog all public and active incentives. This includes traditional "Bug Bounty Programs" as well as "Vulnerability/Exploit Acquisition Programs".
Update (19 Oct 2013): A new website http://www.bugsheet.com/bug-bounties has started collecting bug bounties and disclosure programs. I do recognize that an actual website is better than a single blog post, thus I've discontinued this list.

Bug Bounty Programs


Sponsor

Target

Reward
AT&T Security vulnerabilities found within the AT&T API Platform $100-$5,000, plus merchandize (e.g. LTE data cards, phones with free service)
Avast Security vulnerabilities in the latest consumer Windows versions of Avast $200-$5,000
Barracuda Vulnerabilities in Barracuda appliances, including Spam/Virus Firewall, Web Filter, WAF, NG Firewall $500-$3,133.7
BugCrowd Crowdsourced security testing. BugCrowd manages bug bounty programs for third-party companies Starting from $250
BugWolf Marketplace for bug bounty hunters. BugWolf manages bug bounty programs for third-party companies Starting from $500
Coinbase Previously unknown security vulnerabilities in Coinbase's web platform Starting from 5 BTC
Cryptocat XSS bugs, crypto implementation bugs, arbitrary code execution in Cryptocat's code $n/a
Djbdns Verifiable security holes in the latest version of Djbdns $1000
Etsy Web application vulnerabilities affecting the main www.etsy.com site, the etsy.com API, or the official Etsy mobile application Starting from $500
Facebook Facebook web platform security bugs. No third-party applications Starting from $500
Future of Enforcement Web vulnerabilities in Future of Enforcement's website €100
Gallery Security issues in the latest stable release of the popular web based photo album organizer $100-$1000
Google Chromium browser project, Chrome OS and selected Google web properties bugs $500-$20,000
IntegraXor HMI/SCADA Security vulnerabilities in IGX SCADA systems with verifiable proof-of-concepts Up to 8K I/O points (~$3999)
Hex-Rays Security bugs in the latest public release of Hex-Rays IDA Up to $3000
Kaneva High impact web application vulnerabilities $100
Mega Web application vulnerabilities and crypto bugs affecting MEGA's online systems Up to €10000
Meraki All web content under *.meraki.com, Meraki-operated web properties, systems manager client applications and Meraki hardware devices $100-$2500
Mozilla Firefox, Thunderbird and selected Mozilla Internet-facing websites bugs $500-$3000, plus Mozilla T-shirt
Nokia Vulnerabilities in all Nokia run services, applications and products excluding corporate infrastructure $n/a
PayPal Web application vulnerabilities in www.paypal.com $n/a
Piwik Flaws in Piwik web analytics software $200-$500
Qmail Verifiable security holes in the latest version of Qmail $5000
Ripple Security issues in Ripple, an OpenSource person to person payment network Up to $10000
Samsung Security bugs in Samsung TV/BD Starting from $500
Tarsnap Tarsnap bugs, affecting either pre-release or released versions $1-$2000
Yandex Security vulnerabilities in Yandex's services or mobile applications, as specified on the terms and conditions page $100-$1000

Vulnerability/Exploit Acquisition Programs


Sponsor

Target

Reward
BeyondSecurity SecuriTeam High and medium impact bugs in widely spread software $n/a
Coseinc Unpublished security vulnerabilities for Windows, Linux and Solaris $n/a
Exodus Intelligence Program Vulnerability research acquisition program for unknown vulnerabilities affecting widely deployed software packages $n/a plus yearly bonuses
ExploitHub Legitimate market-place for non-zero-day exploits $50-$1000. Both one-time purchase payments as well as recurring monthly payments from site-license customers
iSight Partners Bugs in typical corporate environment applications $n/a
Netragard 0-day exploits against well-known software $n/a
Packet Storm Exploits for 0-day and 1-day vulnerabilities in enterprise-grade software (Microsoft, Flash, Java, etc.) $1000-$7000
TippingPoint ZDI Undisclosed vulnerability research, affecting widely deployed software $n/a plus awards and benefits, depending on the contributor's status
VeriSign iDefence Security vulnerabilities in widely deployed applications $n/a
White Fir Design Bugs in WordPress code and plugins (with over 1 million downloads and compatible with the most recent WordPress) $50-$500

Contributions are welcome! If you are aware of an initiative not listed here or you want to report an inaccuracy in your initiative, please leave a comment and we will update this page over time. In fact, the more people, the better.

Just to clarify, we aim at indexing programs that are:
  • Legal. Although black/gray market places exist, we don't certainly want to list them here
  • Active. We want to keep track of ongoing initiatives. Even time-limited programs are eligible, as long as they are still accepting submissions
  • Public. All entries must have publicly available details. This may range from accurate guidelines and rules to just a simple sentence stating the nature of the incentive. It hence follows that we are going to report public information only. In case of cash rewards, the actual amount is reported whenever the min-max price paid is clearly stated
  • Reward-based. In most cases, entries are "cash-for-bugs" programs. However, any kind of tangible reward is eligible. "No More Free Bugs" versus "No More Cheap Bugs" disputes are not considered here
Disclaimer: we do not endorse, represent or warrant the accuracy or reliability of any of these programs.

    24 comments:

      Dustin D. Trammell

    February 5, 2012 at 1:27 AM

    Hello, Please update the ExploitHub listing to include non-Metasploit exploits and change the reward to both one-time purchase payments as well as recurring monthly payments from site-license customers.

      albino

    March 2, 2012 at 8:12 AM

    Google changed theirs to $100 - $3000, and CCbill have suspended theirs (temporarily, hopefully).

      albino

    March 4, 2012 at 5:37 AM

    Also,
    http://codex.gallery2.org/Bounties

      Luca Carettoni

    March 31, 2012 at 6:15 PM

    Recent changes:
    - Updated ExploitHub details (see Dustin D. Trammell's comment)
    - Included ChromeOS in Google bounty
    - Removed CCbill
    - Added Gallery2 bounties (see Albino's comment)

    Thanks again for leaving your comments and keeping this post updated!

      Luca Carettoni

    April 23, 2012 at 10:26 PM

    Recent changes:
    - Updated Google rewards (http://googleonlinesecurity.blogspot.com/2012/04/spurring-more-vulnerability-research.html)

      Luca Carettoni

    June 3, 2012 at 6:14 PM

    Yet another update:
    - Samsung Security Bug Bounty Program
    - Access Innovation Prize 2012

      Luca Carettoni

    June 7, 2012 at 10:20 AM

    Change:
    - Added AT&T Bug Bounty Program

      Luca Carettoni

    June 12, 2012 at 9:46 PM

    Update:
    - PayPal Bug Bounty (Thanks @netfuzzer)

      Luca Carettoni

    June 20, 2012 at 8:31 PM

    A new player:
    - Exodus Intelligence Program

      7h3rAm

    June 27, 2012 at 7:11 AM

    Thanks! The list looks quite complete.

      Luca Carettoni

    September 11, 2012 at 6:06 PM

    Etsy has opened a bug bounty program. Added to the list.

      Luca Carettoni

    September 23, 2012 at 10:59 AM

    Change:
    - Added Yandex bug bounty

      jericho

    January 4, 2013 at 2:00 PM

    Secunia has a purchase program.

    Should also keep track of historical (Netscape), and track the rough date the program was started. Would enhance this resource and be useful for journalists, bloggers, etc.

    Thanks!

      d3v1l

    January 16, 2013 at 10:48 AM

    PacketStorm jut opened a Bug Bounty Program http://packetstormsecurity.com/bugbounty

      Luca Carettoni

    January 16, 2013 at 11:08 PM

    @jericho
    Secunia is already there.
    Yes, I agree - It would be nice to keep track of all initiatives too.

    @d3v1l
    Done!

    Changes:
    - PacketStorm
    - BugCrowd

      Luca Carettoni

    February 3, 2013 at 6:59 PM

    New:
    - MEGA bug bounty
    - BugWolf

      Shamiq

    February 8, 2013 at 11:31 AM

    Hi, you're missing one:
    http://blog.avast.com/2013/01/25/introducing-avast-bug-bounty/

      Luca Carettoni

    February 15, 2013 at 11:42 AM

    Thanks @Shamiq

    New:
    - Avast
    http://blog.avast.com/2013/01/25/introducing-avast-bug-bounty/
    - Nokia
    http://www.nokia.com/global/security/security/

      Luca Carettoni

    March 20, 2013 at 11:53 PM

    Recent changes:
    - Meraki
    - Future of Enforcement
    - Cryptocat

      Luca Carettoni

    May 1, 2013 at 9:13 AM

    - Coinbase (thanks to @securityshell)

      Luca Carettoni

    August 8, 2013 at 11:06 PM

    New:
    - IntegraXor HMI/SCADA

      Luca Carettoni

    August 24, 2013 at 10:08 PM

    Removed:
    - Access Price
    - Digital Armaments
    - Secunia

      dark

    October 3, 2013 at 5:06 PM

    Yahoo now offers cash rewards for reported bugs, so add them to the list.

    http://yahoodevelopers.tumblr.com/post/62953984019/so-im-the-guy-who-sent-the-t-shirt-out-as-a-thank-you

    $150 - $15,000

    Good Luck!

      Luca Carettoni

    October 19, 2013 at 6:30 PM

    I've decided to discontinue this list. http://www.bugsheet.com/bug-bounties is doing a great job, collecting and maintaining a list of all bug bounties & disclosure programs.

    Cheers!