What is a bug bounty?

You’ve probably heard of Bug bounties, but aren’t sure what they are. Here to help clear up the confusion we’ve created this guide detailing everything you need to know about bug bounty programmes.

What is a bug bounty?

A security bug bounty is a type of reward program for software developers. Software companies and individual hackers team up together to find bugs in software applications before releasing them to the public. Each bug bounty is slightly different but all of them have set rules that need to be followed. Amateurs are often encouraged to help, but it’s important to follow these rules and each program’s responsible disclosure policy.

How much does a bug bounty pay?

This varies across companies and products, but in general, the lowest amount you’ll find will be around $100. Only a handful of companies offer something around the $1 million mark, although most big companies will have a program in place with a $100,000 offer.

Microsoft bug bounty

Microsoft’s top offer is $300,000 for vulnerability reports on Microsoft Azure cloud services. The company will also shell out $100,000 if you find vulnerabilities in its Identity services and up to $250,000 for security issues found in Microsoft Hyper V.

Vulnerabilities found in other Microsoft services will typically net you between $15,000-$30,000. Security issues found on Xbox can earn you $20,000, while problems encountered on the Chromium-based version of Microsoft Edge can earn you up to $30,000.

Apple bug bounty

Apple has one of the heftiest bug bounty offers around. The company will give you a cool $1 million if you manage to find a vulnerability that allows someone to hack into a network without any user interaction. In the company’s own words, this has to be a “zero-click kernel code execution with persistence and kernel PAC bypass”.

The smallest payout listed on Apple’s current site is $100,000, which it will shell out if you manage to find vulnerabilities in the iCloud, bypass a lock screen, or find a way to access sensitive data without authorisation via an installed app.

Google bug bounty

Google offers loads of rewards across its vast array of products.

For vulnerabilities found in Google-owned web properties, rewards range from $100-$5000. Payouts for Chrome vulnerabilities are a bit larger, ranging from $500-$30,000, while security issues found on Google Play will be rewarded to the tune of $500-$20,000.

But the real money is found in the bug bounty for Android on Pixel products. This program pays up to $1 million, depending on the exploit discovered. Top dollar is paid out for anyone able to hack into the Pixel Titan M chip.

In addition to the above, there are a couple of grants available via Google. These are for already-established vulnerability researchers and range from $1337 up to $3133. There are also payments available of up to $20,000 for proposed patches on certain open source projects.

Facebook bug bounty

Facebook has no upper limit on what it will pay out on bug bounties, but instead has a vulnerability calculation that takes into account “impact, ease of exploitation and quality of the report.”

In brief, the company gets to decide how much your newly-discovered vulnerability is worth. The minimum amount rewarded is $500, but an individual has previously been awarded $50,000 for their work.

The bug bounty program includes all Facebook products, so you can use the same portal to submit issues relating to Instagram.

HackerOne bug bounty

HackerOne is a mix between platform and collective. It provides a portal for big tech companies and hackers, allowing the former to advertise what monetary rewards it can offer and the latter to submit vulnerability reports.

It has a good directory of current bug bounties, which offer between $100-$2000 for vulnerabilities.

It also hosts something called the Internet Bug Bounty, which will pay out if you manage to find a security flaw in software that supports the internet stack. For example, finding an issue with the popular Python programming language could earn you $500 in pocket money.