bug bounty program

What is a bug bounty program?

A bug bounty program, also called a vulnerability rewards program (VRP), is a crowdsourcing initiative that rewards individuals like ethical hackers and security researchers for discovering and reporting vulnerabilities and bugs in software.

What is a bug bounty?

Simply put, a bug bounty is a reward for discovering software bugs. These bugs are often security vulnerabilities that make the software susceptible to a cybercrime. The bugs are included in a bug report prepared by the person who discovered the bug and submitted to the company running the program.

To be truly useful, bug reports must document enough information for the organization to be able to reproduce and validate the vulnerability. Once the bugs are determined to be valid, the person who discovered it gets paid by the company.

Typically, payment amounts are commensurate with the organization's size and the difficulty faced by the ethical hacker in delving into the software. The potential user impact of a bug is also taken into consideration when determining the payment amount.

How does a bug bounty program work?

Many software vendors and websites run bug bounty programs where they pay out cash rewards to software security researchers and ethical hackers for reporting software vulnerabilities that have the potential to be exploited by threat actors. Such programs enable the organization to use the skills of the ethical hacker community to improve their software testing systems and reduce their cybersecurity risks.

These companies usually define the testing scope and often provide an outline of the test. The scope and outline enable hackers to understand the company's expectations and requirements. These elements also enable the company to avoid wasting money on payouts for invalid or out-of-scope bugs.

On discovering a bug, the hacker fills out a disclosure report that includes bug details, its impact on the application and its severity ranking -- levels may be predetermined by the company offering the bounty. The bounty hunter also describes the key steps they took to discover the bug and include other details that may help development teams replicate and validate the bug. After reviewing and validating the bug, the hacker receives the bounty from the company.

It's important to note that hackers don't get paid for vulnerabilities that are already known to the company's security or development teams. Similarly, if a bug is already discovered by a hacker and then again by another hacker, only the first hacker is paid. Also, one hacker might be paid more than another if they discover a vulnerability with a severe impact versus another's discovery of a low-impact bug.

Types of bug bounty programs

A bug bounty program can be public or private. A public program is one that is open to the entire ethical hacker community. These programs are published on websites like HackerOne, GitHub or BugBountyHunter.

A private bug bounty program is not available to the public. Rather, hackers receive specific invitations from the company that has instituted the program. Not all private programs offer payouts. Hackers who are interested purely in paying programs can search for them on various bug bounty platforms.

A program that invites people to report bugs but doesn't involve monetary compensation is known as a vulnerability disclosure program. In other words, a bug bounty program usually involves some other kind of material reward given to the bounty hunter.

Bug bounty programs for vulnerability management

Bug bounty programs are often part of an organization's vulnerability management strategy, as they supplement internal code audits and penetration tests. Together, these strategies enable the company and its development teams to do the following:

• Test application security throughout the software development lifecycle.
• Discover bugs and vulnerabilities that may affect the end product's quality, stability, usability or user experience.
• Implement appropriate fixes to minimize such issues.

The hackers who participate in bug bounty programs are usually not employees of the organization, but they augment internal security teams with their skills and efforts. In doing so, they help to scale up the software testing program and vulnerability management strategy and generate useful results to improve software security and quality.

Examples of past bug bounty programs

There are many established cases of software bug bounty programs that have yielded healthy payouts for bounty hunters. The first such program was instituted by Netscape in 1995 for the Netscape Navigator 2.0 beta browser. Since then, many other companies have followed suit.

For example, Mozilla has a Mozilla Security Bug Bounty Program that offers bounties of $3,000 to $20,000 per vulnerability, depending on its potential for exploitation, impact, security rating and bug report quality.

Meta, formerly Facebook, offers a minimum bounty of $500 per security vulnerability discovered on Meta or its associated companies, e.g., Instagram or WhatsApp. Rewards can go up to $300,000 for reporting a mobile remote code execution (RCE) exploit. Between 2011 when the program was first instituted for Facebook's webpage and April 2024, Meta has paid out over $15 million in bug bounties.

Google also has a bug bounty program called VRP that has been running continuously since 2010. The program covers numerous Google products, including Google.com, YouTube, the Chrome browser and Google Cloud Platform. The rewards for reporting a bug range from $100 (e.g., privilege escalation) to $31,337 (RCE).

Microsoft's bug bounty program launched in 2013. Over the next 10 years, the company paid over $60 million to thousands of security researchers from 70 countries. As of 2024, Microsoft runs different programs for different products with different payouts. For example, the program for Microsoft Azure offers bounties of up to $60,000, while the maximum bounty for discovering a bug in Microsoft .NET is $20,000.

Of course, there have been occasions where the company has paid out more than these amounts. For example, in 2013, U.K. researcher James Forshaw earned a bounty of $100,000 for discovering a new exploitation technique in Windows 8.1, making him the first person to receive such a large award from Microsoft.

Apple is another tech giant with a bug bounty program. Like many of the other companies, Apple's program is also tiered by vulnerability type. Thus, a lock screen bypass bug can earn the hunter a reward of $5,000 to $100,000, while a zero-click kernel code execution vulnerability can net them as much as $1 million.

The limitations of bug bounty programs

The use of ethical hackers can be an effective strategy for software organizations to find bugs. However, bug bounty programs can also be controversial. One reason is increasing competition among ethical hackers. As the number of them joining bug bounty platforms increases, the chances of discovering valid bugs goes down, lowering their potential income and potentially creating disillusionment regarding the company.

Another issue is that some programs attract a large number of submissions. Many of these submissions may contain poor-quality bug reports or invalid bugs. Since companies need to evaluate all submissions, they end up wasting a lot of time that might have been spent on other activities to improve product quality.

A third problem is that hackers may publicly disclose discovered bugs, which may harm the company's reputation and also impact its sales and customer relationships. Public disclosures may also enable malicious parties to use the information to defame the company.

To limit these potential risks, some organizations offer closed or invitation-only private bug bounty programs.

Those who discover, exploit and report software vulnerabilities find the process can be not just educational, but lucrative as well. Learn how to get started on becoming a bug bounty hunter.