large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

What is a bug bounty? From $100 to $1 million and beyond, these tech firms pay big for security tips

After online rumours started whirling about hacks related to Houseparty, the video-based social network offered $1 million to someone who could prove that the rumours were actually “spread by a paid commercial smear campaign to harm Houseparty”.

Even though this story has been dominating tech headlines, offering a huge bounty isn’t that unusual a move for a big tech company. However, it’s more common for them to be offered to people who can prove that the company’s products have a significant security flaw.

There are various reasons for them to do this – but if you’re curious, here’s everything you need to know about bug bounty practices.

What is a bug bounty?

In brief, a bug bounty is a way for tech companies to reward individuals who point out flaws in their products. Usually, the bounties relate to security issues, and companies often set up special portals where you can submit bug reports.

It’s a way of rewarding a researcher for finding a problem that’s been overlooked by an in-house team. But if no-one’s able to hack into your product, it’s also a sly way for companies to boast about the security of their products.

There are various restrictions in place about what they’ll pay out for, depending on the company. We’ve outlined the basics from individual companies below, but broadly speaking the bug needs to relate to a current product, not have been previously discovered, and (crucially) only be disclosed to the company directly.

Related: Best VPN 2020

How much does a bug bounty pay?

This varies across companies and products, but in general, the lowest amount you’ll find will be around $100.

Only a handful of companies offer something around the $1 million mark, although most big companies will have a program in place with a $100,000 offer.

Microsoft bug bounty

Microsoft’s top offer is $300,000 for vulnerability reports on Microsoft Azure cloud services. The company will also shell out $100,000 if you find vulnerabilities in its Identity services and up to $250,000 for security issues found in Microsoft Hyper V.

Related: Best antivirus software 2020

Vulnerabilities found in other Microsoft services will typically net you between $15,000-$30,000. Security issues found on Xbox can earn you $20,000, while problems encountered on the Chromium-based version of Microsoft Edge can earn you up to $30,000.

To see the full list of bug bounty offers, head here.

Apple bug bounty

Apple has one of the heftiest bug bounty offers around. The company will give you a cool $1 million if you manage to find a vulnerability that allows someone to hack into a network without any user interaction. In the company’s own words, this has to be a “zero-click kernel code execution with persistence and kernel PAC bypass”.

The smallest payout listed on Apple’s current site is $100,000, which it will shell out if you manage to find vulnerabilities in the iCloud, bypass a lock screen, or find a way to access sensitive data without authorisation via an installed app.

Google bug bounty

Google offers loads of rewards across its vast array of products.

For vulnerabilities found in Google-owned web properties, rewards range from $100-$5000. Payouts for Chrome vulnerabilities are a bit larger, ranging from $500-$30,000, while security issues found on Google Play will be rewarded to the tune of $500-$20,000.

But the real money is found in the bug bounty for Android on Pixel products. This program pays up to $1 million, depending on the exploit discovered. Top dollar is paid out for anyone able to hack into the Pixel Titan M chip.

In addition to the above, there are a couple of grants available via Google. These are for already-established vulnerability researchers and range from $1337 up to $3133. There are also payments available of up to $20,000 for proposed patches on certain open source projects.

You can read more about the various programs here.

Facebook bug bounty

Facebook has no upper limit on what it will pay out on bug bounties, but instead has a vulnerability calculation that takes into account “impact, ease of exploitation and quality of the report.”

In brief, the company gets to decide how much your newly-discovered vulnerability is worth. The minimum amount rewarded is $500, but an individual has previously been awarded $50,000 for their work.

The bug bounty program includes all Facebook products, so you can use the same portal to submit issues relating to Instagram.

HackerOne bug bounty

HackerOne is a mix between platform and collective. It provides a portal for big tech companies and hackers, allowing the former to advertise what monetary rewards it can offer and the latter to submit vulnerability reports.

It has a good directory of current bug bounties, which offer between $100-$2000 for vulnerabilities.

It also hosts something called the Internet Bug Bounty, which will pay out if you manage to find a security flaw in software that supports the internet stack. For example, finding an issue with the popular Python programming language could earn you $500 in pocket money.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have 9 million users a month around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.