If you’d like to receive updates on this list, including all Bugcrowd managed bounties, Join the Bugcrowd ninjas!
PRODUCTS AND SERVICES (REWARD OFFERED)
- Bugcrowd - https://portal.bugcrowd.com/accounts/register/
- AT&T - http://developer.att.com/developer/apiDetailPage.jsp?passedItemId=10700235 - (We’ve been told that to submit you need to sign up to the Developer API Program which costs 99 USD…)
- Avast! - http://www.avast.com/bug-bounty
- Barracuda - http://www.barracudalabs.com/bugbounty/
- Coinbase - https://coinbase.com/whitehat
- Cryptocat - https://crypto.cat/bughunt/
- Facebook - http://www.facebook.com/whitehat/bounty/
- Etsy - http://www.etsy.com/help/article/2463
- Gallery - http://codex.gallery2.org/Bounties
- Google - http://www.google.com/about/company/rewardprogram.html
- Hex-Rays - http://www.hex-rays.com/bugbounty.shtml
- Kaneva - http://docs.kaneva.com/
mediawiki/index.php/Bug_Bounty - Mega.co.nz - http://thenextweb.com/insider/2013/02/01/kim-dotcom-puts-up-13500-bounty-for-first-person-to-break-megas-security-system/
- Meraki - http://www.meraki.com/trust/#srp
- Mozilla - http://www.mozilla.org/security/bug-bounty.html
- Paypal - https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues
- Piwik - http://piwik.org/security/
- Ripple - https://ripple.com/bug-bounty/
- Samsung - https://samsungtvbounty.com/
- Tarsnap - https://www.tarsnap.com/bugbounty.html
- Qmail - http://cr.yp.to/djbdns/guarantee.html
- Yandex - http://company.yandex.com/security/index.xml
Access - https://www.accessnow.org/prize
BROKERS AND SECURITY COMPANIES
- Beyond Security - http://www.beyondsecurity.com/ssd.html
- COSINC - http://www.coseinc.com/en/index.php?rt=advisory
- Exodus Intelligence - https://www.exodusintel.com/eip/
- ExploitHub - https://www.exploithub.com/request/index/developmentrequests/
- HP Zero-Day Initiative (ZDI) - http://www.zerodayinitiative.com/about/benefits/
- iDefense - https://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/vulnerability-intelligence/index.xhtml
- Insight Partners - https://gvp.isightpartners.com/program_details.gvp?page=3&title=1§ion=0
- Netragard - http://pentest.snosoft.com/netragards-eap/
- Packet Storm - http://packetstormsecurity.com/bugbounty
- Secunia - http://secunia.com/community/research/svcrp
- White Fir Design - https://www.whitefirdesign.com/about/wordpress-security-bug-bounty-program.html
PRODUCT AND SERVICES (HALL OF FAME + SWAG)
- Amazon - http://aws.amazon.com/security/vulnerability-reporting (Reward: T-shirt)
- Dropbox - https://www.dropbox.com/special_thanks (Reward: T-shirt)
- Engineyard - https://www.engineyard.com/legal/responsible-disclosure-policy (Reward: T-shirt)
- Github - https://help.github.com/articles/responsible-disclosure-of-security-vulnerabilities (Reward: T-shirt and stickers)
- ifixit - http://www.ifixit.com/Info/Responsible_Disclosure (Reward: T-shirt)
- Soundcloud - http://help.soundcloud.com/customer/portal/articles/439715-responsible-disclosure (Reward: T-shirt)
- Yahoo - http://security.yahoo.com (Reward: T-shirt)
PRODUCT AND SERVICES (HALL OF FAME ONLY)
- Acquia - https://www.acquia.com/how-report-security-issue
- ActiveProspect - http://activeprospect.com/activeprospect-security/
- Adobe - http://www.adobe.com/support/security/alertus.html
- Apple - http://support.apple.com/kb/HT1318
- Blackberry - http://us.blackberry.com/business/topics/security/incident-response-team/collaborations.html
- Braintree - https://www.braintreepayments.com/developers/disclosure
- eBay - http://pages.ebay.com/securitycenter/ResearchersAcknowledgement.html
- EngineYard - https://www.engineyard.com/legal/responsible-disclosure-policy
- EVE - http://community.eveonline.com/devblog.asp?a=blog&nbid=2384
- Future Of Enforcement - http://futureofenforcement.com/?page_id=695
- Gitlab - http://blog.gitlab.com/responsible-disclosure-policy/
- Harmony - http://get.harmonyapp.com/security/
- lastpass - https://lastpass.com/support_security.php
- Mahara - https://wiki.mahara.org/index.php/Contributors#Security_Researchers
- Microsoft - http://technet.microsoft.com/en-us/security/cc308589
- Netflix - http://support.netflix.com/en/node/6657#gsc.tab=0
- Nokia - http://www.nokia.com/global/security/acknowledgements/
- Nokia Siemens Networks - http://www.nokiasiemensnetworks.com/about-us/responsible-disclosure
- Owncloud - http://owncloud.org/about/security/hall-of-fame/
- Opera - https://bugs.opera.com/wizarddesktop/
- RedHat - https://access.redhat.com/knowledge/articles/66234
- Risk.io - https://www.risk.io/security
- Tuenti - http://corporate.tuenti.com/en/dev/hall-of-fame
- Twilio - https://www.twilio.com/docs/security/disclosure
- Twitter - https://twitter.com/about/security
- WizeHive - http://www.wizehive.com/special_thanks.html
- Xmarks - https://buy.xmarks.com/security.php
- Zendesk - http://www.zendesk.com/company/responsible-disclosure-policy
- Zynga - http://company.zynga.com/security/whitehats
PRODUCTS AND SERVICES (NO REWARD)
- Acquia - https://www.acquia.com/how-report-security-issue
- Atlassian - https://confluence.atlassian.com/display/SUPPORT/How+to+Report+a+Security+Issue
- Chargify - https://chargify.com/security/
- Cloudnetz - http://cloudnetz.com/Legal/vulnerability-testing-policy.html
- Contant Contact - http://www.constantcontact.com/about-constant-contact/security/report-vulnerability.jsp
- HTC - http://www.htc.com/us/terms/product-security/
- IBM - http://www-03.ibm.com/security/secure-engineering/report.html
- Lookout - https://www.lookout.com/responsible-disclosure
- Oracle - http://:oracle.com/technetwork/topics/security/securityfixlifecycle-086982.html
- Owncloud - http://owncloud.org/security/hall-of-fame/
- Puppet Labs - http://puppetlabs.com/blog/responsible-disclosure-of-security-vulnerabilities
- Reddit - http://code.reddit.com/wiki/help/whitehat
- Salesforce -http://www.salesforce.com/company/privacy/security.jsp#vulnerability
- 37signals - https://37signals.com/security-response
- Scorpion Software - http://www.scorpionsoft.com/company/disclosurepolicy/
- Symantec - http://www.symantec.com/security/
- Tuenti - http://corporate.tuenti.com/en/dev/hall-of-fame
- VSR - http://www.vsecurity.com/company/disclosure
If you notice something missing, or spot a bounty program which has ceased please tweet to us or leave a comment below… We’ll update ASAP and credit you for your help!
We’ve decided to include all kinds of bounties - incentivised, hall of fame, swag, and “other” – because regardless of your motivation and thoughts on disclosure incentives each of them give you an opportunity to legitimately do what you love to do… test new targets.
We’ve had a few people write in about their experiences, some good and some bad, with a few of the companies mentioned. Keep it coming! We haven’t figured out how to fairly integrate this data yet, but we plan to.
Thanks to the following legends for their contribution to this page:
- Vitaly Osipov
- Dan Kaminsky
- Ajay Singh Negi
- @_ikki
- @securityshell
- @yappare
- @Vigneshkumarmr
- @fransrosen
- @cyberboyIndia
- @ChiraghDewan
- @peterjaric
- @adam_baldwin
- @jake_m_rogers
- @timb_machine
- @hxteam
- @NoTty_rAJ
- @hvboppana
- @mmrupp
- Reed Louden
- @RahulBinjve
- @fransrosen
- Abhinav Karnawat
- Nikhil Srivastava
- Ali Hasan Ghauri
- Rahul Binjve
- @RobbyDelaware
- Aamir Rehman
- Christy Philip Mathew
- Danish Tariq