Bug bounty program

From Wikipedia, the free encyclopedia
Jump to: navigation, search

A bug bounty program is a deal offered by many website and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities. These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse. Bug bounty programs have been implemented by Facebook,[1] Yahoo!,[2] and Google,[3] among others.


In August 2013, an information science expert from Palestine used an exploit to post a letter on the Facebook timeline of site founder Mark Zuckerberg. According to the hacker, he had tried to report the vulnerability using Facebook's bug bounty program, but the response team told him that his vulnerability was not actually a bug.[4]

A Facebook "White Hat" debit card, given to researchers who report security bugs

Facebook started paying researchers who find and report security bugs by issuing them custom branded “White Hat” debit cards that can be reloaded with funds each time the researchers discover new flaws. “Researchers who find bugs and security improvements are rare, and we value them and have to find ways to reward them,” Ryan McGeehan, former manager of Facebook’s security response team, told CNET in an interview. “Having this exclusive black card is another way to recognize them. They can show up at a conference and show this card and say ‘I did special work for Facebook.’”[5]

India, which has the second largest number of bug hunters in the world,[6] tops the Facebook Bug Bounty Program with the largest number of valid bugs. "Researchers in Russia earned the highest amount per report in 2013, receiving an average of $3,961 for 38 bugs. India contributed the largest number of valid bugs at 136, with an average reward of $1,353. The USA reported 92 issues and averaged $2,272 in rewards. Brazil and the UK were third and fourth by volume, with 53 bugs and 40 bugs, respectively, and average rewards of $3,792 and $2,950", Facebook quoted in a post.[7]

Yahoo! was severely criticized for sending out Yahoo! T-shirts as reward to the Security Researchers for finding and reporting security vulnerabilities in Yahoo!, sparking what came to be called t-shirt-gate.[8] High-Tech Bridge, a Geneva, Switzerland based security testing company issued a press release saying Yahoo! offered $12.50 in credit per vulnerability, which could be used toward Yahoo-branded items such as T-shirts, cups and pens from its store. Ramses Martinez, director of Yahoo's security team claimed later in a blog post[9] that he was behind the voucher reward program, and that he basically had been paying for them out of his own pocket. Eventually, Yahoo! launched its new bug bounty program on October 31, that allows security researchers to submit bugs and receive rewards between $250 and $15,000, depending on the severity of the bug discovered.[10]

Notable programs[edit]

In October 2013, Google announced a major change to its Vulnerability Reward Program. Previously, it had been a bug bounty program covering many Google products. With the shift, however, the program was broadened to include a selection of high-risk free software applications and libraries, primarily those designed for networking or for low-level operating system functionality. Submissions that Google found adherent to the guidelines would be eligible for rewards ranging from $500 to $3133.70.[11][12]

Similarly, Microsoft and Facebook partnered in November 2013 to sponsor The Internet Bug Bounty, a program to offer rewards for reporting hacks and exploits for a broad range of Internet-related software.[13] The software covered by the IBB includes Adobe Flash, Python, Ruby, PHP, Django, Ruby on Rails, Perl, OpenSSL, Nginx, Apache HTTP Server, and Phabricator. In addition, the program offered rewards for broader exploits affecting widely used operating systems and web browsers, as well as the Internet as a whole.[14]

TopTechTune, Top 10 White Hat Hacking Rewards.

Top Bug Bounty Program.[15]


  1. ^ Facebook Security (26 April 2014). "Facebook WhiteHat". Facebook. Retrieved 11 March 2014. 
  2. ^ "Yahoo! Bug Bounty Program". HackerOne. Retrieved 11 March 2014. 
  3. ^ "Vulnerability Assessment Reward Program". Google. Retrieved 11 March 2014. 
  4. ^ "Hacker posts Facebook bug report on Zuckerberg’s wall". RT. 18 August 2013. Retrieved 11 March 2014. 
  5. ^ Whitehat, Facebook. "Facebook whitehat Debit card". CNET. 
  6. ^ Researchers, Indian. "Indian Bug Hunters tops the world". DNA Newspaper. DNA News. 
  7. ^ BugBounty Update, Facebook. "Facebook's Update on Bug Bounty Program". Facebook Security. 
  8. ^ T-shirt Gate, Yahoo!. "Yahoo! T-shirt gate". ZDNet. 
  9. ^ Bug Bounty, Yahoo!. "So I’m the guy who sent the t-shirt out as a thank you.". Ramses Martinez. Retrieved 2 October 2013. 
  10. ^ BugBounty Program, Yahoo!. "Yahoo! launched its Bug Bounty Program". Ramses Martinez. Retrieved 31 October 2013. 
  11. ^ Goodin, Dan (9 October 2013). "Google offers "leet" cash prizes for updates to Linux and other OS software". Ars Technica. Retrieved 11 March 2014. 
  12. ^ Zalewski, Michal (9 October 2013). "Going beyond vulnerability rewards". Google Online Security Blog. Retrieved 11 March 2014. 
  13. ^ Goodin, Dan (6 November 2013). "Now there’s a bug bounty program for the whole Internet". Ars Technica. Retrieved 11 March 2014. 
  14. ^ "The Internet Bug Bounty". HackerOne. Retrieved 11 March 2014. 
  15. ^ shafeeq ts. TopTechTune, Top 10 White Hat Hacking Rewards.

External links[edit]