Two years after the launch of the "No More Free Bugs" philosophy, several companies and Open Source projects are now offering programs designed to encourage security research in their products. In addition, many private firms are publicly offering vulnerability acquisition programs.
This post is an attempt to catalog all public and active incentives. This includes traditional "Bug Bounty Programs" as well as "Vulnerability/Exploit Acquisition Programs".
Bug Bounty Programs
Sponsor | Target | Reward |
| Barracuda | Vulnerabilities in Barracuda appliances, including Spam/Virus Firewall, Web Filter, WAF, NG Firewall | $500-$3,133.7 |
| CCBill.com | CCBill web application vulnerabilities | $200-$500 |
| Djbdns | Verifiable security holes in the latest version of Djbdns | $1000 |
| Facebook web platform security bugs. No third-party applications | Starting from $500 | |
| Chromium browser project and selected Google web properties bugs | $500-$3,133.7 | |
| Hex-Rays | Security bugs in the latest public release of Hex-Rays IDA | Up to $3000 |
| Mozilla | Firefox, Thunderbird and selected Mozilla Internet-facing websites bugs | $500-$3000, plus Mozilla T-shirt |
| Piwik | Flaws in Piwik web analytics software | $200-$500 |
| Qmail | Verifiable security holes in the latest version of Qmail | $5000 |
| Tarsnap | Tarsnap bugs, affecting either pre-release or released versions | $1-$2000 |
Vulnerability/Exploit Acquisition Programs
Sponsor
|
Target
|
Reward
|
| BeyondSecurity SecuriTeam | High and medium impact bugs in widely spread software | $n/a |
| Coseinc | Unpublished security vulnerabilities for Windows, Linux and Solaris | $n/a |
| Digital Armaments | Vulnerability and/or exploit code for high value software | $n/a |
| ExploitHub | Legitimate market-place for non-zero-day Metasploit exploits | $50~$1000 |
| iSight Partners | Bugs in typical corporate environment applications | $n/a |
| Netragard | 0-day exploits against well-known software | $n/a |
| Secunia | Unknown vulnerabilities affecting stable and latest release of products. All classes of vulnerabilities are eligible. | From top-of-the range merchandise to an IT security conference pass and hotel accommodation |
| TippingPoint ZDI | Undisclosed vulnerability research, affecting widely deployed software | $n/a plus awards and benefits, depending on the contributor's status |
| VeriSign iDefence | Security vulnerabilities in widely deployed applications | $n/a |
| White Fir Design | Bugs in WordPress code and plugins (with over 1 million downloads and compatible with the most recent WordPress) | $50-$500 |
Contributions are welcome! If you are aware of an initiative not listed here or you want to report an inaccuracy in your initiative, please leave a comment and we will update this page over time. In fact, the more people, the better.
Just to clarify, we aim at indexing programs that are:
- Legal. Although black/gray market places exist, we don't certainly want to list them here
- Active. We want to keep track of ongoing initiatives. Even time-limited programs are eligible, as long as they are still accepting submissions
- Public. All entries must have publicly available details. This may range from accurate guidelines and rules to just a simple sentence stating the nature of the incentive. It hence follows that we are going to report public information only. In case of cash rewards, the actual amount is reported whenever the min-max price paid is clearly stated
- Reward-based. In most cases, entries are "cash-for-bugs" programs. However, any kind of tangible reward is eligible. "No More Free Bugs" versus "No More Cheap Bugs" disputes are not considered here
Posts
1 comments:
February 5, 2012 1:27 AM
Hello, Please update the ExploitHub listing to include non-Metasploit exploits and change the reward to both one-time purchase payments as well as recurring monthly payments from site-license customers.
Post a Comment