All software has bugs, or flaws that cause issues. They range from banal problems that don’t affect software performance in any major way, to serious security vulnerabilities.
Bugs can be difficult to spot, which is why many tech companies have bug bounty programs. But what exactly are bug bounty programs? How do they work, and how do they help improve a product’s security?
How Bug Bounty Programs Work
Companies launch bug bounty programs in order to incentivize white hat hackers to look for security holes and similar vulnerabilities in software. There is typically a more than decent monetary prize for those who discover a bug, no matter how insignificant it may seem to the average person.
And it is not just small, up-and-coming companies that have bug bounty programs. In fact, most tech giants run them, including Google, Microsoft, Facebook, and Apple. Details about these programs can usually be found on a company’s official website. More often than not, there are several tiers or categories. But in principle, the more significant a bug, the higher the reward.
Once a white hat hacker discovers a bug, they submit a detailed disclosure report explaining what they’ve found. Company engineers then review and investigate the submission, and if the researcher’s findings turn out to be accurate and useful, they are notified and receive a monetary reward.
This system works for both companies and independent researchers. From any company’s perspective, it’s better that an ethical hacker discovers a bug than a threat actor, who would most likely go on to exploit it before it’s patched up, potentially causing millions in damages. Hackers, on the other hand, make a nice chunk of change participating in bug bounty programs—some even earn full-time incomes discovering software vulnerabilities.
Examples of Bug Bounty Programs Improving Software Security
It’s good to know how bug bounty programs work in theory, but let’s take a look at a few real-word examples of companies paying out massive sums to white hat hackers.
In cooperation with the bug bounty platform Immunefi, the decentralized blockchain bridge platform Wormhole launched in February 2022 a bounty program offering $10 million to anyone who discovers a critical security bug. Soon enough, a white hat hacker using the pseudonym satya0x discovered one. As Immunefi explained in a Medium post, the bug could have led to user funds being locked, so satya0x received $10 million for disclosing it.
Also in February 2022, the cryptocurrency exchange Coinbase paid a $250,000 bug bounty reward to an independent researcher for discovering a major flaw in the platform’s trading interface.
Aurora Labs, the company behind the Aurora Ethereum (ETH) Virtual Machine, paid out a massive $6 million bounty in April 2022. The money was awarded to an ethical hacker known as pwning.eth, after he discovered a vulnerability that would have allowed threat actors to mint an infinite supply of the Ethereum cryptocurrency in the Aurora engine.
The Canadian e-commerce giant Shopify, meanwhile, broke its own record in 2021, when its bounty payouts totaled $1 million. That year, the company received a total of 3,000 bug reports from white hat hackers around the world. In response, Shopify raised its maximum bounty reward to $100,000.
These figures may seem absurdly high, but they really aren’t in comparison to the amount of money and data cybercriminals could otherwise make by discovering vulnerabilities. Wormhole only set a $10 million bug bounty reward after it lost $320 million due to a breach. Aurora Labs rewarded a white hat hacker because $6 million pales in comparison to losing $240 million worth of ETH, while Coinbase and Shopify probably saved tens of millions by compensating diligent researchers.
The 5 Best High-Paying Bug Bounty Programs
Because companies actually save a ton of money by setting up rewarding bug bounty programs, there is an array of options researchers can choose from. If you happen to be a white hat hacker or would like to become one, here are five high-paying bug bounty programs to consider.
Apple Security Bounty is one of the most popular bug bounty programs in the world. Rewards range from $5,000 for discovering lock screen vulnerabilities, to $2 million for security holes that would enable a threat actor to bypass Lockdown Mode protections. All you have to do to submit a bug report (which needs to be thorough and detailed) is sign in with your Apple ID.
Another popular bug bounty program is run by Microsoft, which offers a wide range of rewards. Much like Apple’s, Microsoft’s program is divided into dozens of different categories. For example, if you discover a vulnerability in the Microsoft.NET framework, you can expect a payment of up to $15,000. But if you discover one in Microsoft Hyper-V, you might get a reward of up to $250,000.
Samsung Rewards Program is centered around the company’s mobile products. It has relatively strict policies, so make sure you read them carefully before submitting a bug. Also, note that only bugs that impact the security of Samsung devices are taken into consideration by the company’s engineers. Rewards range between $200 and $200,000.
In the Google Bug Hunters bounty program, rewards go up to $30,000. Bug hunters, as white hat hackers are often referred to, can report bugs in Gmail, YouTube, BlogSpot, and other Google services. This program has a very active community and its own online university, which can be a great resource for novice researchers.
Meta’s bounty program covers Facebook, Instagram, WhatsApp, Messenger, and a slew of other products. To be considered for a reward (the minimum is $500), you need to find vulnerabilities that pose a security or privacy risk and meet clearly-defined requirements. All valid reports receive a response. If multiple hunters spot the same issue, the reward is given to the first person to submit a report.
Bug Bounty Programs: The Best of Crowdsourced Security
Bug bounty programs represent the best of crowdsourced security. And it’s not just tech companies and cybersecurity researchers that benefit from them—everyone does, including consumers.
For some, bug hunting is a hobby, and for others a full-fledged career. If you fall into the latter category, or aspire to, there are plenty of online courses worth taking a look at.