5 Best Bug Bounty Programs

Best Bug Bounty Programs

5 Best Bug Bounty Programs

There are a few things that make a good bug bounty program. Of course, potential payouts are essential. But beyond being rewarded for security research, things like total resolved reports, average response time, the number of hackers contributing to a program, and brand reputation are all factors that need to be considered.

We have evaluated thousands of bug bounty programs across multiple websites. In the below post, we will share some of the best programs in the world.

Whether you are a hacker looking to increase your earnings or if you are an organization looking to learn from the best, this post is for you!

Let’s get to it!

Best Bug Bounty Programs

Apple

Get more information on the Apple Bug Bounty Program.

In the past two and a half years, Apple has given researchers approximately $20 million in payments, with an average of $40,000 awarded per person. Twenty people have received rewards over $100,000 for high-impact issues. Based on our research, this makes Apple Security Bounty the fastest-growing bounty program in industry history.

Because of this rapid expansion, Apple has had to invest in its program. They have recruited a dedicated team to deal with incoming reports, created an external advisory board of leading researchers and industry experts, and continue closely monitoring the bounty program.

These investments have let them deal with almost every report they get within two weeks, most of them within six days.

Apple has also developed a platform for researchers to report issues and communicate with their teams. The Apple Security Research site includes a new way to send security research on the web and get real-time status updates. This provides hackers with tools so you can track the progress of your report and communicate securely with Apple engineers as they investigate.

Google

Get more information on the Google Bug Bounty Program.

Google has been dedicated to helping security researchers and bug hunters for over ten years.

Their first Vulnerability Reward Program (VRP) was designed to compensate and thank those who help make Google’s code more secure. It is one of the world’s earliest known established bug bounty programs. Over time, their bug bounty programs expanded to allow researchers to test Chrome, Android, and other Google products.

In total, these programs have rewarded more than 13,000 submissions, totaling over $38M paid. Because of the sheer size and capital available to Google, they can offer some of the highest payouts in the industry. For example, vulnerabilities reported that give direct access to Google servers, including remote code execution issues, can yield a payout of $31,337.

Meta (Facebook)

Get more information on the Facebook Bug Bounty Program.

Are you noticing a trend here? Another FAANG company cracking into our list of best bug bounty programs?

Meta’s bug bounty program has been around since 2011 when it started covering Facebook’s web page. It has grown to cover all its web and mobile clients, including Instagram, WhatsApp, Oculus, Workplace, and more.

Meta determines bounty amounts based on various factors, including (but not limited to) impact, ease of exploitation, and quality of the report. If they pay a bounty, the minimum reward is $500.

The advantage of having a bug bounty program running for over ten years is that some of Facebook’s researchers have spent many years hunting on their platform. They know the products and services inside out, which means they can find deep-rooted issues – not just surface ones – that the wider community would usually overlook.

This is evident by newsworthy wins by ethical hackers like Philippe Harewood, who identified an endpoint vulnerability that could have allowed a malicious actor to retrieve an Instagram app access token. Meta awarded Harewood a $30,000 bounty award for reporting this vulnerability.

Microsoft

Get more information on the Microsoft Bug Bounty Program.

Recently, Microsoft announced that they awarded $13.7M in bug bounties to more than 330 security researchers across 46 countries in 12 months. 

The biggest award was $200,000 under their Hyper-V Bounty Program.

On average, across all of their programs, participants received more than $12,000 per project; this speaks to the extensive research done by their sizeable global security community characterized by its diversity.

Beyond payouts, one of the reasons Microsoft makes our list is the overall flexibility of its program. Microsoft is constantly changing its programs and partnerships to stay ahead of the curve. A crucial part of this growth is listening to suggestions from researchers so they can make it easier for them to do their job effectively. Most recently, Microsoft introduced Dynamics 365 and Power Platform Bounty Program, a high-impact research scenario & Power Platform to scope.

PayPal

Get more information on the PayPal Bug Bounty Program.

PayPal is one of the most well-known online payment services in the world. Based in California, PayPal has over 420 million active users. Because it’s in the financial services sector and has such a large user base, there are many opportunities for hackers to find vulnerabilities in the system.

One of the things that makes PayPal a standout bug bounty program is its total resolved reports and average response time. Since launched on HackerOne in September 2018, PayPal has resolved over 1500 reports. Their typical response time to disclosed vulnerabilities is an impressive 6 hours.

Payouts range depending on the severity. On average, a bounty between $1k-$4k is typically paid to ethical hackers that successfully identify and report a vulnerability. Critical issues have a maximum reward payout of $20,000.

Frequently Asked Questions

How did you select these programs?

We look at several factors to develop our list of the best bug bounty programs. Here’s a list of the factors that we used in our evaluation:

  1. Total search volume
  2. Payouts (minimum, average, maximum)
  3. Reports resolved
  4. Length of program
  5. Company credibility
  6. Program scope
  7. Total active participants
  8. Public reviews and reputation
  9. Platforms utilized
  10. Internal infrastructure for support

Can I submit my program for review?

Absolutely. We have compiled a full list of bug bounty programs widely published bug bounty programs. But that data source is always growing, and we’re happy to review and share information on new and established programs to make the web safer! If you would like to submit your program for review, please email info@gogetsecure.com.