What is Bug Bounty Program?
A bug bounty program, also called a vulnerability rewards program (VRP), is a crowdsourcing initiative that rewards individuals for discovering and reporting software bugs. Bug bounty programs are often initiated to supplement internal code audits and penetration tests as part of an organization's vulnerability management strategy.
A bug bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.
Many software vendors and websites run bug bounty programs, paying out cash rewards to software security researchers and white hat hackers who report software vulnerabilities that have the potential to be exploited. Bug reports must document enough information for for the organization offering the bounty to be able to reproduce the vulnerability. Typically, payment amounts are commensurate with the size of the organization, the difficulty in hacking the system and how much impact on users a bug might have.
How much rewards is paid by big companies?
Rewards may differ from various companies such as Apple give maximum $200,000 for finding bug whereas Facebook will pay a minimum of $500 for a disclosed vulnerability and there is no upper limit fixed by Facebook for the Payouts. Likewise, Google will pay minimum $300 for finding security threads and pay the highest bounty of $31.337 for normal Google applications. Mozilla give amount of $500 as minimum payouts and the company pays maximum of $50000 as a rewards. Microsoft Pays $15000 for findings critical bugs and give maximum payout of $250000. Similarly, Twitter is paying minimum $140 and maximum rewards is 15000 Dollars.
While the use of ethical hackers to find bugs can be very effective, such programs can also be controversial. To limit potential risk, some organizations are offering closed bug bounty programs that require an invitation. Apple, for example, has limited bug bounty participation to few dozen researchers.
Websites for Bug Bounty program
1. Intel
Intel’s bounty program mainly targets the company’s hardware, firmware, and software.
Limitations: It does not include recent acquisitions, the company’s web infrastructure, third-party products, or anything relating to McAfee.
Minimum Payout: Intel offers a minimum amount of $500 for finding bugs in their system.
Maximum Payout: The Company pays $30,000 maximum for detecting critical bugs.
Bounty Link: https://security-center.intel.com/BugBountyProgram.aspx
2. Snapchat
Snapchat security team reviews all vulnerability reports and acts upon them by responsible disclosure. The company, we will acknowledge your submission within 30 days.
Minimum Payout: Snapchat will pay minimum $2000.
Maximum Payout: Maximum they will pay is $15,000.
Bounty Link:https://support.snapchat.com/en-US/i-need-help
3. Dropbox
Dropbox bounty program allows security researchers to report bugs and vulnerabilities on the third party service HackerOne.
Minimum Payout: The minimum amount paid is $12,167.
Maximum Payout: The maximum amount offered is $32,768.
Bounty Link: https://help.dropbox.com/accounts-billing/security/how-security-works
4. Apple
When Apple first launched its bug bounty program it allowed just 24 security researchers. The framework then expanded to include more bug bounty hunters.
The company will pay $100,000 to those who can extract data protected by Apple’s Secure Enclave technology.
Minimum Payout: There is no limited amount fixed by Apple Inc.
Maximum payout: The highest bounty given by Apple is $200,000 for security issues affecting its firmware.
Bounty Link: https://support.apple.com/en-in/HT201220
5. Facebook
Under Facebook’s bug bounty program users can report a security issue on Facebook, Instagram, Atlas, WhatsApp, etc.
Limitations: There are a few security issues that the social networking platform considers out-of-bounds.
Minimum Payout: Facebook will pay a minimum of $500 for a disclosed vulnerability.
Maximum Payout: There is no upper limit fixed by Facebook for the Payout.
Bounty Link: https://www.facebook.com/whitehat/
6. Google
Every content in the .google.com, .blogger, youtube.com are open for Google’s vulnerability rewards program.
Limitations: This bounty program only covers design and implementation issues.
Minimum Payout: Google will pay minimum $300 for finding security threads.
Maximum Payout: Google will pay the highest bounty of $31.337 for normal Google applications.
Bounty Link: https://www.google.com/about/appsecurity/reward-program/
7. Mozilla
Mozilla rewards for vulnerability discoveries by ethical hackers and security researchers.
Limitations: The bounty is offered only for bugs in Mozilla services, such as Firefox, Thunderbird and other related applications and services.
Minimum Payout: Minium amount given by Firefox is $500.
Maximum Payout: The Company is paying a maximum of $5000.
Bounty Link: https://www.mozilla.org/en-US/security/bug-bounty/
8. Microsoft
Microsoft’s current bug bounty program was officially launched on 23rd September 2014 and deals only with Online Services.
Limitations: The bounty reward is only given for the critical and important vulnerabilities.
Minimum Payout: Microsoft ready to pay $15,000 for finding critical bugs.
Maximum Payout: Maximum amount can be $250,000.
Bounty Link: https://technet.microsoft.com/en-us/library/dn425036.aspx
9. Twitter
Twitter allows security researchers and experts about possible security vulnerabilities in their services. The company encourages people to find bugs.
Minimum Payout: Twitter is paying minimum $140 amount.
Maximum Payout: Maximum amount pay by the company is $15000.
Bounty Link: https://support.twitter.com/articles/477159
10. Avast
Avast bounty program rewards ethical hackers and security researchers to report Remote code execution, Local privilege escalation, DOS, scanner bypass amongst other issues.
Minimum Payout: Avast can pay you the minimum amount of $400.
Maximum Payout: The maximum amount offered by the company is $10,000.
Bounty Link: https://www.avast.com/bug-bounty
11. Paypal
Payment gateway service Paypal also offers bug bounty programs for security researchers.
Limitations:
Vulnerabilities dependent upon social engineering techniques, Host Header
Denial of service (DOS), User defined payload, Content spoofing without embedded links/HTM and Vulnerabilities which require a jailbroken mobile device, etc.
Minimum Payout: Paypal can pay minimum $50 for finding security vulnerabilities in their system.
Maximum Payout: Maximum payout amount given by Paypal is $10000.
Bounty Link: https://hackerone.com/paypal
12. Starbucks
Starbucks runs bug Bounty program to protect their customers. They encourage to find malicious activity in their networks, web and mobile applications policies.
Minimum Payout: The minimum amount paid by Starbucks $100.
Maximum Payout: The maximum amount goes up to $4000.
Bounty Link: https://www.starbucks.com/whitehat
14. Hackerone
HackerOne is one of the biggest vulnerability coordination and bug bounty platform. It helps companies to protect their consumer data by working with the global research community for finding most relevant security issues. Many known companies like Yahoo, Shopify, PHP, Google, Snapchat, and Wink are taking the service of this website to give a reward to security researchers and ethical hackers.
Bounty Link: https://hackerone.com/bug-bounty-programs
15. Bugcrowd
A powerful platform connecting the global security researcher community to the security market. This site aims to provide right mix and type of researcher suited according to the specific website to their worldwide clients. The hackers just need to select their reports on this site, and if they can detect right bugs, the specific company will pay the amount to that person.
Bounty Link: https://www.bugcrowd.com/bug-bounty-list/
How to be bug bounty hunters?
Bug Bounty programs are a great way for companies to add a layer of protection to their online assets. A bug bounty program is a crowdsourced penetration testing program that rewards for finding security bugs and ways to exploit them. For researchers or cybersecurity professionals, it is a great way to test their skills on a variety of targets and get paid well in case they find some security vulnerabilities. The number of companies that have a formal crowdsourced program is increasing and so are the people who want to become a freelance penetration tester. The aspiring bug bounty hunters are of much different knowledge, experience, and skill levels.
1. Learn Computer Networking:
A decent knowledge of Computer Networks is very much necessary for getting started with the bug bounty. Though you’re not required to have expertise in the computer networking domain to get started with bug bounty – but you should be proficient at least with the fundamentals of inter-networking, IP addresses, MAC addresses, OSI stack (and TCP/IP stack), etc. You can learn it from some of the quality online resources like GeeksforGeeks Computer Networks.
2. Get Familiarized With the Web Technologies: This includes getting a basic understanding of web programming and web protocols. Web programming languages are JavaScript, HTML, and CSS. A beginner to intermediate level proficiency with these languages is more than enough in the beginning. The protocols you should learn about are HTTP, FTP, TLS, etc. These can be learned from the corresponding RFCs or from numerous offline or online resources available over the web.
3. Learning Web Application Security Measures and Hacking Techniques: This will include learning about common security mechanisms, security practices, their bypasses, common vulnerabilities in web applications, ways to find these vulnerabilities, and ways to patch and prevent the applications from these vulnerabilities. Useful resources are:
Recommended Books:
Web Application Hacker’s Handbook
Mastering Modern Web Application Penetration Testing
Web Hacking 101
4. Practicing and Polishing Your Skills: Practicing helps in developing a framework for approaching a target. The more you practice on diverse targets of different difficulty levels the easier it will be for you to approach a web application in a way that increases your chances of finding a critical vulnerability (or even finding a vulnerability if the application is well secured and has been already tested by many hunters). Try making great use of these resources:
Vulnerable Web Applications: These are intentionally vulnerable virtual machines or web app packages. Vulnerable web applications are available as general variants that contain many types of vulnerabilities and as dedicated variants that focus on a single vulnerability and its subtleties. Some examples are:
BWapp
DVWA
OWASP Webgoat
Cyclone Transfers
Bricks
Butterfly Security Project
Hacme
Juice Shop
Rails Goat
SQLol
BWapp, DVWA(Damn Vulnerable Web Application), and Webgoat are the best for beginners.
5. Testing Real Targets: After you are thorough with your basics and have a decent level of skill, you can start doing the actual hunting on real websites. A lot of websites run bug bounty programs for their web assets. Some big names are:
Facebook
Twitter
Google
Verizon
Starbucks
Shopify
Spotify
Apple
These companies reward generously but finding a security bug on any of their assets is highly difficult due to tough competition. You must remember that the top bug bounty hunters of the world are testing these websites along with you. However, that doesn’t mean you can’t find something at all.
6. Staying Current on Latest Vulnerabilities: For this, you can follow elite researchers and learn from their work. You can also read disclosed reports on bug bounty platforms like HackerOne. Some recommended researchers to follow are:
Frans Rosén
Jason Haddix
Geekboy
PortSwigger
Jobert Abma
You need to know that if you really want to get started with bug bounty then it doesn’t matter what is your academic background or what is your current working domain – you simply can start learning the required skills and tools and start doing the actual hunting!!