Bug bounty program

Last updated

A bug bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation [1] [2] for reporting bugs, especially those pertaining to security exploits and vulnerabilities. [3]


These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse and data breaches. Bug bounty programs have been implemented by a large number of organizations, including Mozilla, [4] [5] Facebook, [6] Yahoo!, [7] Google, [8] Reddit, [9] Square, [10] Microsoft, [11] [12] and the Internet bug bounty. [13]

Companies outside the technology industry, including traditionally conservative organizations like the United States Department of Defense, have started using bug bounty programs. [14] The Pentagon's use of bug bounty programs is part of a posture shift that has seen several US Government Agencies reverse course from threatening white hat hackers with legal recourse to inviting them to participate as part of a comprehensive vulnerability disclosure framework or policy. [15]


Hunter and Ready initiated the first known bug bounty program in 1983 for their Versatile Real-Time Executive operating system. Anyone who found and reported a bug would receive a Volkswagen Beetle (a.k.a. Bug) in return. [16]

A little over a decade later in 1995, Jarrett Ridlinghafer, a technical support engineer at Netscape Communications Corporation coined the phrase 'Bug Bounty'. [17]

Netscape encouraged its employees to push themselves and do whatever it takes to get the job done. Ridlinghafer recognized that Netscape had many product enthusiasts and evangelists, some of which could even be considered fanatical about Netscape's browsers. He started to investigate the phenomenon in more detail and discovered that many of Netscape's enthusiasts were actually software engineers who were fixing the product's bugs on their own and publishing the fixes or workarounds, either in online news forums that had been set up by Netscape's technical support department, or on the unofficial "Netscape U-FAQ" website, which listed all known bugs and features of the browser, as well as instructions regarding workarounds and fixes.

Ridlinghafer thought the company should leverage these resources and proposed the 'Netscape Bugs Bounty Program', which he presented to his manager, who in turn suggested that Ridlinghafer present it at the next company executive team meeting. At that meeting, attended by James Barksdale, Marc Andreessen and the VPs of every department including product engineering, each member was given a copy of the 'Netscape Bugs Bounty Program' proposal and Ridlinghafer was invited to present his idea to the Netscape Executive Team. Everyone at the meeting embraced the idea except the VP of Engineering, who did not want it to go forward believing it to be a waste of time and resources. However, they were overruled and Ridlinghafer was given an initial $50k budget to run with the proposal.

On October 10 1995, Netscape launched the first technology bug bounty program for the Netscape Navigator 2.0 Beta browser. [18] [19]

Vulnerability Disclosure Policy controversy

In August 2013, a Palestinian computer science student reported a vulnerability that allowed anyone to post a video on an arbitrary Facebook account. According to the email communication between the student and Facebook, he attempted to report the vulnerability using Facebook's bug bounty program but the student was misunderstood by Facebook's engineers. Later he exploited the vulnerability using the Facebook profile of Mark Zuckerberg, resulting into Facebook refusing to pay him a bounty. [20]

A Facebook "White Hat" debit card, which was given to researchers who reported security bugs Facebook t-shirt with whitehat debit card for Hackers.jpg
A Facebook "White Hat" debit card, which was given to researchers who reported security bugs

Facebook started paying researchers who find and report security bugs by issuing them custom branded "White Hat" debit cards that can be reloaded with funds each time the researchers discover new flaws. "Researchers who find bugs and security improvements are rare, and we value them and have to find ways to reward them," Ryan McGeehan, former manager of Facebook's security response team, told CNET in an interview. "Having this exclusive black card is another way to recognize them. They can show up at a conference and show this card and say 'I did special work for Facebook.'" [21] In 2014, Facebook stopped issuing debit cards to researchers.

In 2016, Uber experienced a security incident when an individual accessed the personal information of 57 million Uber users worldwide. The individual supposedly demanded a ransom of $100,000 in order to destroy rather than publish the data. In Congressional testimony, Uber CISO indicated that the company verified that the data had been destroyed before paying the $100,000. [22] Mr. Flynn expressed regret that Uber did not disclose the incident in 2016. As part of their response to this incident, Uber worked with partner HackerOne to update their bug bounty program policies to, among other things, more thoroughly explain good faith vulnerability research and disclosure. [23]

Yahoo! was severely criticized for sending out Yahoo! T-shirts as reward to the Security Researchers for finding and reporting security vulnerabilities in Yahoo!, sparking what came to be called T-shirt-gate. [24] High-Tech Bridge, a Geneva, Switzerland-based security testing company issued a press release saying Yahoo! offered $12.50 in credit per vulnerability, which could be used toward Yahoo-branded items such as T-shirts, cups and pens from its store. Ramses Martinez, director of Yahoo's security team claimed later in a blog post [25] that he was behind the voucher reward program, and that he basically had been paying for them out of his own pocket. Eventually, Yahoo! launched its new bug bounty program on October 31 of the same year, that allows security researchers to submit bugs and receive rewards between $250 and $15,000, depending on the severity of the bug discovered. [26]

Similarly, when Ecava released the first known bug bounty program for ICS in 2013, [27] [28] they were criticized for offering store credits instead of cash which does not incentivize security researchers. [29] Ecava explained that the program was intended to be initially restrictive and focused on the human safety perspective for the users of IntegraXor SCADA, their ICS software. [27] [28]

Some bug bounties programs have been criticized as tools to prevent security researcher from publicly disclosing vulnerabilities, by conditioning the participation to bug bounty or even granting safe-harbor, to abusive non-disclosure agreements. [30] [31]


Though submissions for bug bounties come from many countries, a handful of countries tend to submit more bugs and receive more bounties. The United States and India are the top countries from which researchers submit bugs. [32] India, which has either the first or second largest number of bug hunters in the world, depending on which report one cites, [33] topped the Facebook Bug Bounty Program with the largest number of valid bugs. [34] "India came out on top with the number of valid submissions in 2017, with the United States and Trinidad and Tobago in second and third place, respectively", Facebook quoted in a post. [35]

Notable programs

In October 2013, Google announced a major change to its Vulnerability Reward Program. Previously, it had been a bug bounty program covering many Google products. With the shift, however, the program was broadened to include a selection of high-risk free software applications and libraries, primarily those designed for networking or for low-level operating system functionality. Submissions that Google found adherent to the guidelines would be eligible for rewards ranging from $500 to $3,133.70. [36] [37] In 2017, Google expanded their program to cover vulnerabilities found in applications developed by third parties and made available through the Google Play Store. [38] Google's Vulnerability Rewards Program now includes vulnerabilities found in Google, Google Cloud, Android, and Chrome products, and rewards up to $31,337. [39]

Microsoft and Facebook partnered in November 2013 to sponsor The Internet Bug Bounty, a program to offer rewards for reporting hacks and exploits for a broad range of Internet-related software. [40] In 2017, GitHub and The Ford Foundation sponsored the initiative, which is managed by volunteers including from Uber, Microsoft, [41] Adobe, HackerOne, GitHub, NCC Group, and Signal Sciences. [42] The software covered by the IBB includes Adobe Flash, Python, Ruby, PHP, Django, Ruby on Rails, Perl, OpenSSL, Nginx, Apache HTTP Server, and Phabricator. In addition, the program offered rewards for broader exploits affecting widely used operating systems and web browsers, as well as the Internet as a whole. [43]

In March 2016, Peter Cook announced the US federal government's first bug bounty program, the "Hack the Pentagon" program. [44] The program ran from April 18 to May 12 and over 1,400 people submitted 138 unique valid reports through HackerOne. In total, the US Department of Defense paid out $71,200. [45]

In 2019, The European Commission announced the EU-FOSSA 2 bug bounty initiative for popular open source projects, including Drupal, Apache Tomcat, VLC, 7-zip and KeePass. The project was co-facilitated by European bug bounty platform Intigriti and HackerOne and resulted in a total of 195 unique and valid vulnerabilities. [46]

Open Bug Bounty is a crowd security bug bounty program established in 2014 that allows individuals to post website and web application security vulnerabilities in the hope of a reward from affected website operators. [47]

Center for Analysis and Investigation of Cyber Attacks (TSARKA), a cybersecurity company of Kazakhstan, on December 8th, 2021, launched a National vulnerability reward program called BugBounty.kz. Among the private companies, governmental information systems and information resources have joined the program. Since the launch and up until October 28th, 2021, 1039 vulnerability reports were submitted. During the operation of the program several critical vulnerabilities were reported that could have led to the personal data leak from the critical infrastructure and possible manipulation of SCADA systems responsible for the city life support.

See also

Related Research Articles

In the field of computer security, independent researchers often discover flaws in software that can be abused to cause unintended behaviour; these flaws are called vulnerabilities. The process by which the analysis of these vulnerabilities is shared with third parties is the subject of much debate, and is referred to as the researcher's disclosure policy. Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction. The primary purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who attack them.

Mozilla Firefox has features that allow it to be distinguished from other web browsers, such as Chrome and Internet Explorer.

Packet Storm Security is an information security website offering current and historical computer security tools, exploits, and security advisories. It is operated by a group of security enthusiasts that publish new security information and offer tools for educational and testing purposes.

<span class="mw-page-title-main">Mozilla Application Suite</span> Discontinued Internet suite

The Mozilla Application Suite is a discontinued cross-platform integrated Internet suite. Its development was initiated by Netscape Communications Corporation, before their acquisition by AOL. It was based on the source code of Netscape Communicator. The development was spearheaded by the Mozilla Organization from 1998 to 2003, and by the Mozilla Foundation from 2003 to 2006.

In computer security, coordinated vulnerability disclosure, or "CVD" is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue. This coordination distinguishes the CVD model from the "full disclosure" model.

A zero-day is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, like the vendor of the target software. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, additional computers or a network. An exploit taking advantage of a zero-day is called a zero-day exploit, or zero-day attack.

Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference. First held in April 2007 in Vancouver, the contest is now held twice a year, most recently in March 2023. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The Pwn2Own contest serves to demonstrate the vulnerability of devices and software in widespread use while also providing a checkpoint on the progress made in security since the previous year.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

<span class="mw-page-title-main">ImmuniWeb</span>

ImmuniWeb is a global application security company headquartered in Geneva, Switzerland. ImmuniWeb develops Machine Learning and AI technologies for SaaS-based application security solutions provided via its proprietary ImmuniWeb AI Platform.

HackerOne is a company specializing in cybersecurity, specifically attack resistance management, which blends the security expertise of ethical hackers with asset discovery, continuous assessment, and process enhancement to find and close gaps in the digital attack surface. It was one of the first companies to embrace and utilize crowd-sourced security and cybersecurity researchers as linchpins of its business model; pioneering bug bounty and coordinated vulnerability disclosure. As of December 2022, HackerOne’s network had paid over $230 million in bounties. HackerOne’s customers include The U.S. Department of Defense, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Lufthansa, Microsoft, MINDEF Singapore, Nintendo, PayPal, Slack, Twitter, and Yahoo.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

The market for zero-day exploits is commercial activity related to the trafficking of software exploits.

<span class="mw-page-title-main">Katie Moussouris</span> American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure

Katie Moussouris is an American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure, and is best known for her ongoing work advocating responsible security research. Previously a member of @stake, she created the bug bounty program at Microsoft and was directly involved in creating the U.S. Department of Defense's first bug bounty program for hackers. She previously served as Chief Policy Officer at HackerOne, a vulnerability disclosure company based in San Francisco, California, and currently is the founder and CEO of Luta Security.

<span class="mw-page-title-main">Benjamin Kunz Mejri</span>

Benjamin Kunz Mejri is a German IT security specialist and penetration tester. His areas of research include vulnerabilities in computer systems, bug bounties, the security of e-payment payment services and privacy protection. Mejri is known for uncovering new zero-day vulnerabilities and making them transparent to the public.

Alisa Shevchenko, professionally known as Alisa Esage, is a Russian-born computer security researcher, entrepreneur and hacker with Ukrainian roots. She is known for working independently with dominant software corporations such as Google and Microsoft to find and exploit security weaknesses in their products; being the first female participant in Pwn2Own, the world's premiere professional hacking competition with significant cash prizes; and being accused by the government of the United States of hacking the presidential elections in 2016.

<span class="mw-page-title-main">Synack</span>

Synack is an American technology company based in Redwood City, California. The company uses a crowdsourced network of white-hat hackers to find exploitable vulnerabilities and a SaaS platform enabled by AI and machine learning to identify exploitable vulnerabilities. Customers include government agencies and businesses in retail, healthcare and the manufacturing industry.

<span class="mw-page-title-main">Rafay Baloch</span> Pakistani ethical hacker

Rafay Baloch , is a Pakistani ethical hacker and security researcher known for his discovery of vulnerabilities on the Android operating system. He has been featured and known by both national and international media and publications like Forbes, BBC, The Wall Street Journal, and The Express Tribune. He has been listed among the "Top 5 Ethical Hackers of 2014" by CheckMarx. Subsequently he was listed as one of "The 15 Most Successful Ethical Hackers WorldWide" and among "Top 25 Threat Seekers" by SCmagazine. Baloch has also been added in TechJuice 25 under 25 list for the year 2016 and got 13th rank in the list of high achievers. Reflectiz, a cyber security company, released the list of "Top-21 Cybersecurity Experts You Must Follow on Twitter in 2021" recognizing Rafay Baloch as the top influencer. On 23 March 2022, ISPR recognized Rafay Baloch's contribution in the field of Cyber Security with Pride for Pakistan award.

Bugcrowd is a crowdsourced security platform. It was founded in 2011 and in 2019 it was one of the largest bug bounty and vulnerability disclosure companies on the internet. In March 2018 it secured $26 million in a Series C funding round led by Triangle Peak Partners. Bugcrowd announced Series D funding in April 2020 of $30 million led by previous investor Rally Ventures.

Zero Day Initiative (ZDI) is an international software vulnerability initiative that was started in 2005 by TippingPoint, a division of 3Com. The program was acquired by Trend Micro as a part of the HP TippingPoint acquisition in 2015.


  1. "The Hacker-Powered Security Report - Who are Hackers and Why Do They Hack p. 23" (PDF). HackerOne. 2017. Retrieved June 5, 2018.
  2. Ding, Aaron Yi; De Jesus, Gianluca Limon; Janssen, Marijn (2019). "Ethical hacking for boosting IoT vulnerability management: a first look into bug bounty programs and responsible disclosure". Proceedings of the Eighth International Conference on Telecommunications and Remote Sensing - ICTRS '19. Ictrs '19. Rhodes, Greece: ACM Press: 49–55. arXiv: 1909.11166 . doi:10.1145/3357767.3357774. ISBN   978-1-4503-7669-3. S2CID   202676146.
  3. Weulen Kranenbarg, Marleen; Holt, Thomas J.; van der Ham, Jeroen (November 19, 2018). "Don't shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure". Crime Science. 7 (1): 16. doi: 10.1186/s40163-018-0090-8 . ISSN   2193-7680. S2CID   54080134.
  4. "Mozilla Security Bug Bounty Program". Mozilla. Retrieved July 9, 2017.
  5. Kovacs, Eduard (May 12, 2017). "Mozilla Revamps Bug Bounty Program". SecurityWeek. Retrieved August 3, 2017.
  6. Facebook Security (April 26, 2014). "Facebook WhiteHat". Facebook. Retrieved March 11, 2014.{{cite web}}: |author= has generic name (help)
  7. "Yahoo! Bug Bounty Program". HackerOne . Retrieved March 11, 2014.
  8. "Vulnerability Assessment Reward Program" . Retrieved March 11, 2014.
  9. "Reddit - whitehat". Reddit . Retrieved May 30, 2015.
  10. "Square bug bounty program". HackerOne. Retrieved August 6, 2014.
  11. "Microsoft Bounty Programs". Microsoft Bounty Programs. Security TechCenter. Archived from the original on November 21, 2013. Retrieved September 2, 2016.
  12. Zimmerman, Steven (July 26, 2017). "Microsoft Announces Windows Bug Bounty Program and Extension of Hyper-V Bounty Program". XDA Developers . Retrieved August 3, 2017.
  13. HackerOne. "Bug Bounties - Open Source Bug Bounty Programs" . Retrieved March 23, 2020.
  14. "The Pentagon Opened up to Hackers - And Fixed Thousands of Bugs". Wired. November 10, 2017. Retrieved May 25, 2018.
  15. "A Framework for a Vulnerability Disclosure Program for Online Systems". Cybersecurity Unit, Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice. July 2017. Retrieved May 25, 2018.
  16. "The first "bug" bounty program". Twitter. July 8, 2017. Retrieved June 5, 2018.
  17. Friis-Jensen, Esben (March 3, 2021). "The History of Bug Bounty Programs". Medium. Retrieved August 6, 2021.
  18. "Netscape announces Netscape Bugs Bounty with release of netscape navigator 2.0". Internet Archive. Archived from the original on May 1, 1997. Retrieved January 21, 2015.
  19. "Cobalt Application Security Platform". Cobalt. Retrieved July 30, 2016.
  20. "Zuckerberg's Facebook page hacked to prove security flaw". CNN. August 20, 2013. Retrieved November 17, 2019.
  21. Mills, Elinor. "Facebook whitehat Debit card". CNET.
  22. "Testimony of John Flynn, Chief Information Security Officer, Uber Technologies, Inc" (PDF). United States Senate. February 6, 2018. Retrieved June 4, 2018.
  23. "Uber Tightens Bug Bounty Extortion Policy". Threat Post. April 27, 2018. Retrieved June 4, 2018.
  24. Osborne, Charlie. "Yahoo changes bug bounty policy following 't-shirt gate'". ZDNet.
  25. Martinez, Ramses. "So I'm the guy who sent the t-shirt out as a thank you". Yahoo Developer Network. Retrieved October 2, 2013.
  26. Martinez, Ramses. "The Bug Bounty Program is Now Live". Yahoo Developer Network. Retrieved October 31, 2013.
  27. 1 2 Toecker, Michael (July 23, 2013). "More on IntegraXor's Bug Bounty Program". Digital Bond. Retrieved May 21, 2019.
  28. 1 2 Ragan, Steve (July 18, 2013). "SCADA vendor faces public backlash over bug bounty program". CSO. Retrieved May 21, 2019.
  29. Rashi, Fahmida Y. (July 16, 2013). "SCADA Vendor Bashed Over 'Pathetic' Bug Bounty Program". Security Week. Retrieved May 21, 2019.
  30. "How Zoom handled vulnerability shows the dark side of bug bounty's". ProPrivacy.com. Retrieved May 17, 2023.
  31. Porup, J. M. (April 2, 2020). "Bug bounty platforms buy researcher silence, violate labor laws, critics say". CSO Online. Retrieved May 17, 2023.
  32. "The 2019 Hacker Report" (PDF). HackerOne. Retrieved March 23, 2020.
  33. "Bug hunters aplenty but respect scarce for white hat hackers in India". Factor Daily. February 8, 2018. Retrieved June 4, 2018.
  34. "Facebook Bug Bounty 2017 Highlights: $880,000 Paid to Researchers". Facebook. January 11, 2018. Retrieved June 4, 2018.
  35. "Facebook Bug Bounty 2017 Highlights: $880,000 Paid to Researchers". Facebook. January 11, 2018. Retrieved June 4, 2018.
  36. Goodin, Dan (October 9, 2013). "Google offers "leet" cash prizes for updates to Linux and other OS software". Ars Technica. Retrieved March 11, 2014.
  37. Zalewski, Michal (October 9, 2013). "Going beyond vulnerability rewards". Google Online Security Blog. Retrieved March 11, 2014.
  38. "Google launched a new bug bounty program to root out vulnerabilities in third-party apps on Google Play". The Verge. October 22, 2017. Retrieved June 4, 2018.
  39. "Vulnerability Assessment Reward Program" . Retrieved March 23, 2020.
  40. Goodin, Dan (November 6, 2013). "Now there's a bug bounty program for the whole Internet". Ars Technica. Retrieved March 11, 2014.
  41. Abdulridha, Alaa (March 18, 2021). "How I hacked Facebook: Part Two". infosecwriteups . Retrieved March 18, 2021.
  42. "Facebook, GitHub, and the Ford Foundation donate $300,000 to bug bounty program for internet infrastructure". VentureBeat. July 21, 2017. Retrieved June 4, 2018.
  43. "The Internet Bug Bounty". HackerOne. Retrieved March 11, 2014.
  44. "DoD Invites Vetted Specialists to 'Hack' the Pentagon". U.S. DEPARTMENT OF DEFENSE. Retrieved June 21, 2016.
  45. "Vulnerability disclosure for Hack the Pentagon". HackerOne. Retrieved June 21, 2016.
  46. "EU-FOSSA 2 - Bug Bounties Summary" (PDF).{{cite web}}: CS1 maint: url-status (link)
  47. Dutta, Payel (February 19, 2018). "Open Bug Bounty: 100,000 fixed vulnerabilities and ISO 29147". TechWorm. Retrieved April 10, 2023.