"No More Free Bugs" Initiatives

Two years after the launch of the "No More Free Bugs" philosophy, several companies and Open Source projects are now offering programs designed to encourage security research in their products. In addition, many private firms are publicly offering vulnerability acquisition programs.


This post is an attempt to catalog all public and active incentives. This includes traditional "Bug Bounty Programs" as well as "Vulnerability/Exploit Acquisition Programs".
Update (19 Oct 2013): A new website http://www.bugsheet.com/bug-bounties has started collecting bug bounties and disclosure programs. I do recognize that an actual website is better than a single blog post, thus I've discontinued this list.

Bug Bounty Programs

Sponsor	Target	Reward
AT&T	Security vulnerabilities found within the AT&T API Platform	$100-$5,000, plus merchandize (e.g. LTE data cards, phones with free service)
Avast	Security vulnerabilities in the latest consumer Windows versions of Avast	$200-$5,000
Barracuda	Vulnerabilities in Barracuda appliances, including Spam/Virus Firewall, Web Filter, WAF, NG Firewall	$500-$3,133.7
BugCrowd	Crowdsourced security testing. BugCrowd manages bug bounty programs for third-party companies	Starting from $250
BugWolf	Marketplace for bug bounty hunters. BugWolf manages bug bounty programs for third-party companies	Starting from $500
Coinbase	Previously unknown security vulnerabilities in Coinbase's web platform	Starting from 5 BTC
Cryptocat	XSS bugs, crypto implementation bugs, arbitrary code execution in Cryptocat's code	$n/a
Djbdns	Verifiable security holes in the latest version of Djbdns	$1000
Etsy	Web application vulnerabilities affecting the main www.etsy.com site, the etsy.com API, or the official Etsy mobile application	Starting from $500
Facebook	Facebook web platform security bugs. No third-party applications	Starting from $500
Future of Enforcement	Web vulnerabilities in Future of Enforcement's website	€100
Gallery	Security issues in the latest stable release of the popular web based photo album organizer	$100-$1000
Google	Chromium browser project, Chrome OS and selected Google web properties bugs	$500-$20,000
IntegraXor HMI/SCADA	Security vulnerabilities in IGX SCADA systems with verifiable proof-of-concepts	Up to 8K I/O points (~$3999)
Hex-Rays	Security bugs in the latest public release of Hex-Rays IDA	Up to $3000
Kaneva	High impact web application vulnerabilities	$100
Mega	Web application vulnerabilities and crypto bugs affecting MEGA's online systems	Up to €10000
Meraki	All web content under *.meraki.com, Meraki-operated web properties, systems manager client applications and Meraki hardware devices	$100-$2500
Mozilla	Firefox, Thunderbird and selected Mozilla Internet-facing websites bugs	$500-$3000, plus Mozilla T-shirt
Nokia	Vulnerabilities in all Nokia run services, applications and products excluding corporate infrastructure	$n/a
PayPal	Web application vulnerabilities in www.paypal.com	$n/a
Piwik	Flaws in Piwik web analytics software	$200-$500
Qmail	Verifiable security holes in the latest version of Qmail	$5000
Ripple	Security issues in Ripple, an OpenSource person to person payment network	Up to $10000
Samsung	Security bugs in Samsung TV/BD	Starting from $500
Tarsnap	Tarsnap bugs, affecting either pre-release or released versions	$1-$2000
Yandex	Security vulnerabilities in Yandex's services or mobile applications, as specified on the terms and conditions page	$100-$1000

Vulnerability/Exploit Acquisition Programs

Sponsor	Target	Reward
BeyondSecurity SecuriTeam	High and medium impact bugs in widely spread software	$n/a
Coseinc	Unpublished security vulnerabilities for Windows, Linux and Solaris	$n/a
Exodus Intelligence Program	Vulnerability research acquisition program for unknown vulnerabilities affecting widely deployed software packages	$n/a plus yearly bonuses
ExploitHub	Legitimate market-place for non-zero-day exploits	$50-$1000. Both one-time purchase payments as well as recurring monthly payments from site-license customers
iSight Partners	Bugs in typical corporate environment applications	$n/a
Netragard	0-day exploits against well-known software	$n/a
Packet Storm	Exploits for 0-day and 1-day vulnerabilities in enterprise-grade software (Microsoft, Flash, Java, etc.)	$1000-$7000
TippingPoint ZDI	Undisclosed vulnerability research, affecting widely deployed software	$n/a plus awards and benefits, depending on the contributor's status
VeriSign iDefence	Security vulnerabilities in widely deployed applications	$n/a
White Fir Design	Bugs in WordPress code and plugins (with over 1 million downloads and compatible with the most recent WordPress)	$50-$500

Contributions are welcome! If you are aware of an initiative not listed here or you want to report an inaccuracy in your initiative, please leave a comment and we will update this page over time. In fact, the more people, the better.

Just to clarify, we aim at indexing programs that are:

• Legal. Although black/gray market places exist, we don't certainly want to list them here
• Active. We want to keep track of ongoing initiatives. Even time-limited programs are eligible, as long as they are still accepting submissions
• Public. All entries must have publicly available details. This may range from accurate guidelines and rules to just a simple sentence stating the nature of the incentive. It hence follows that we are going to report public information only. In case of cash rewards, the actual amount is reported whenever the min-max price paid is clearly stated
• Reward-based. In most cases, entries are "cash-for-bugs" programs. However, any kind of tangible reward is eligible. "No More Free Bugs" versus "No More Cheap Bugs" disputes are not considered here

Disclaimer: we do not endorse, represent or warrant the accuracy or reliability of any of these programs.