Thursday, October 20, 2011

"No More Free Bugs" Initiatives

Two years after the launch of the "No More Free Bugs" philosophy, several companies and Open Source projects are now offering programs designed to encourage security research in their products. In addition, many private firms are publicly offering vulnerability acquisition programs.


This post is an attempt to catalog all public and active incentives. This includes traditional "Bug Bounty Programs" as well as "Vulnerability/Exploit Acquisition Programs".
Update (19 Oct 2013): A new website http://www.bugsheet.com/bug-bounties has started collecting bug bounties and disclosure programs. I do recognize that an actual website is better than a single blog post, thus I've discontinued this list.

Bug Bounty Programs


Sponsor

Target

Reward
AT&T Security vulnerabilities found within the AT&T API Platform $100-$5,000, plus merchandize (e.g. LTE data cards, phones with free service)
Avast Security vulnerabilities in the latest consumer Windows versions of Avast $200-$5,000
Barracuda Vulnerabilities in Barracuda appliances, including Spam/Virus Firewall, Web Filter, WAF, NG Firewall $500-$3,133.7
BugCrowd Crowdsourced security testing. BugCrowd manages bug bounty programs for third-party companies Starting from $250
BugWolf Marketplace for bug bounty hunters. BugWolf manages bug bounty programs for third-party companies Starting from $500
Coinbase Previously unknown security vulnerabilities in Coinbase's web platform Starting from 5 BTC
Cryptocat XSS bugs, crypto implementation bugs, arbitrary code execution in Cryptocat's code $n/a
Djbdns Verifiable security holes in the latest version of Djbdns $1000
Etsy Web application vulnerabilities affecting the main www.etsy.com site, the etsy.com API, or the official Etsy mobile application Starting from $500
Facebook Facebook web platform security bugs. No third-party applications Starting from $500
Future of Enforcement Web vulnerabilities in Future of Enforcement's website €100
Gallery Security issues in the latest stable release of the popular web based photo album organizer $100-$1000
Google Chromium browser project, Chrome OS and selected Google web properties bugs $500-$20,000
IntegraXor HMI/SCADA Security vulnerabilities in IGX SCADA systems with verifiable proof-of-concepts Up to 8K I/O points (~$3999)
Hex-Rays Security bugs in the latest public release of Hex-Rays IDA Up to $3000
Kaneva High impact web application vulnerabilities $100
Mega Web application vulnerabilities and crypto bugs affecting MEGA's online systems Up to €10000
Meraki All web content under *.meraki.com, Meraki-operated web properties, systems manager client applications and Meraki hardware devices $100-$2500
Mozilla Firefox, Thunderbird and selected Mozilla Internet-facing websites bugs $500-$3000, plus Mozilla T-shirt
Nokia Vulnerabilities in all Nokia run services, applications and products excluding corporate infrastructure $n/a
PayPal Web application vulnerabilities in www.paypal.com $n/a
Piwik Flaws in Piwik web analytics software $200-$500
Qmail Verifiable security holes in the latest version of Qmail $5000
Ripple Security issues in Ripple, an OpenSource person to person payment network Up to $10000
Samsung Security bugs in Samsung TV/BD Starting from $500
Tarsnap Tarsnap bugs, affecting either pre-release or released versions $1-$2000
Yandex Security vulnerabilities in Yandex's services or mobile applications, as specified on the terms and conditions page $100-$1000

Vulnerability/Exploit Acquisition Programs


Sponsor

Target

Reward
BeyondSecurity SecuriTeam High and medium impact bugs in widely spread software $n/a
Coseinc Unpublished security vulnerabilities for Windows, Linux and Solaris $n/a
Exodus Intelligence Program Vulnerability research acquisition program for unknown vulnerabilities affecting widely deployed software packages $n/a plus yearly bonuses
ExploitHub Legitimate market-place for non-zero-day exploits $50-$1000. Both one-time purchase payments as well as recurring monthly payments from site-license customers
iSight Partners Bugs in typical corporate environment applications $n/a
Netragard 0-day exploits against well-known software $n/a
Packet Storm Exploits for 0-day and 1-day vulnerabilities in enterprise-grade software (Microsoft, Flash, Java, etc.) $1000-$7000
TippingPoint ZDI Undisclosed vulnerability research, affecting widely deployed software $n/a plus awards and benefits, depending on the contributor's status
VeriSign iDefence Security vulnerabilities in widely deployed applications $n/a
White Fir Design Bugs in WordPress code and plugins (with over 1 million downloads and compatible with the most recent WordPress) $50-$500

Contributions are welcome! If you are aware of an initiative not listed here or you want to report an inaccuracy in your initiative, please leave a comment and we will update this page over time. In fact, the more people, the better.

Just to clarify, we aim at indexing programs that are:
  • Legal. Although black/gray market places exist, we don't certainly want to list them here
  • Active. We want to keep track of ongoing initiatives. Even time-limited programs are eligible, as long as they are still accepting submissions
  • Public. All entries must have publicly available details. This may range from accurate guidelines and rules to just a simple sentence stating the nature of the incentive. It hence follows that we are going to report public information only. In case of cash rewards, the actual amount is reported whenever the min-max price paid is clearly stated
  • Reward-based. In most cases, entries are "cash-for-bugs" programs. However, any kind of tangible reward is eligible. "No More Free Bugs" versus "No More Cheap Bugs" disputes are not considered here
Disclaimer: we do not endorse, represent or warrant the accuracy or reliability of any of these programs.

    25 comments:

    1. Hello, Please update the ExploitHub listing to include non-Metasploit exploits and change the reward to both one-time purchase payments as well as recurring monthly payments from site-license customers.

      ReplyDelete
    2. Google changed theirs to $100 - $3000, and CCbill have suspended theirs (temporarily, hopefully).

      ReplyDelete
    3. Also,
      http://codex.gallery2.org/Bounties

      ReplyDelete
    4. Recent changes:
      - Updated ExploitHub details (see Dustin D. Trammell's comment)
      - Included ChromeOS in Google bounty
      - Removed CCbill
      - Added Gallery2 bounties (see Albino's comment)

      Thanks again for leaving your comments and keeping this post updated!

      ReplyDelete
    5. Recent changes:
      - Updated Google rewards (http://googleonlinesecurity.blogspot.com/2012/04/spurring-more-vulnerability-research.html)

      ReplyDelete
    6. Yet another update:
      - Samsung Security Bug Bounty Program
      - Access Innovation Prize 2012

      ReplyDelete
    7. Change:
      - Added AT&T Bug Bounty Program

      ReplyDelete
    8. Update:
      - PayPal Bug Bounty (Thanks @netfuzzer)

      ReplyDelete
    9. A new player:
      - Exodus Intelligence Program

      ReplyDelete
    10. Thanks! The list looks quite complete.

      ReplyDelete
    11. Etsy has opened a bug bounty program. Added to the list.

      ReplyDelete
    12. Secunia has a purchase program.

      Should also keep track of historical (Netscape), and track the rough date the program was started. Would enhance this resource and be useful for journalists, bloggers, etc.

      Thanks!

      ReplyDelete
    13. PacketStorm jut opened a Bug Bounty Program http://packetstormsecurity.com/bugbounty

      ReplyDelete
    14. @jericho
      Secunia is already there.
      Yes, I agree - It would be nice to keep track of all initiatives too.

      @d3v1l
      Done!

      Changes:
      - PacketStorm
      - BugCrowd

      ReplyDelete
    15. Hi, you're missing one:
      http://blog.avast.com/2013/01/25/introducing-avast-bug-bounty/

      ReplyDelete
    16. Thanks @Shamiq

      New:
      - Avast
      http://blog.avast.com/2013/01/25/introducing-avast-bug-bounty/
      - Nokia
      http://www.nokia.com/global/security/security/

      ReplyDelete
    17. Recent changes:
      - Meraki
      - Future of Enforcement
      - Cryptocat

      ReplyDelete
    18. - Coinbase (thanks to @securityshell)

      ReplyDelete
    19. Removed:
      - Access Price
      - Digital Armaments
      - Secunia

      ReplyDelete
    20. Yahoo now offers cash rewards for reported bugs, so add them to the list.

      http://yahoodevelopers.tumblr.com/post/62953984019/so-im-the-guy-who-sent-the-t-shirt-out-as-a-thank-you

      $150 - $15,000

      Good Luck!

      ReplyDelete
    21. I've decided to discontinue this list. http://www.bugsheet.com/bug-bounties is doing a great job, collecting and maintaining a list of all bug bounties & disclosure programs.

      Cheers!

      ReplyDelete