Bug Bounty program provides recognition and compensation to security researchers practicing responsible disclosure. Company started Bug Bounty programs for improve their security, Cyber security researchers are finding vulnerabilities on top websites and get rewarded.
Reward Program
- Avast! – http://www.avast.com/bug-bounty
- Barracuda – http://barracudalabs.com/
- Coinbase – https://coinbase.com/whitehat
- Chromium Project – http://www.chromium.org/
- CrowdShield – https://crowdshield.com/
- Cryptocat – https://crypto.cat/bughunt/
- Facebook – http://www.facebook.com/whitehat/
- Etsy – http://www.etsy.com/help/article/2463
- Gallery – http://codex.gallery2.org/Bounties
- Ghostscript –http://ghostscript.com/Bug_bounty_program.html(Mostly software development, occasional security issues)
- Google –http://www.google.com/about/company/rewardprogram.html
- Hex-Rays – http://www.hex-rays.com/bugbounty.shtml
- IntegraXor (SCADA) –http://www.integraxor.com/blog/integraxor-hmi-scada-bug-bounty-program
- LaunchKey – https://launchkey.com/docs/whitehat
- Marktplaats – http://statisch.marktplaats.nl/help/
- Mega.co.nz –http://thenextweb.com/insider/2013/02/01/kim-dotcom-puts-up-13500-bounty-for-first-person-to-break-megas-security-system/
- Meraki – http://www.meraki.com/trust/#srp
- Microsoft –http://www.microsoft.com/security/msrc/report
- Mozilla – http://www.mozilla.org/security/bug-bounty.html
- Paypal –https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues
- PikaPay – https://www.pikapay.com/pikapay-security-policy/
- Piwik – http://piwik.org/security/
- Ricebridge – http://www.ricebridge.com/bugs.htm(Only available to customers)
- Ripple – https://ripple.com/bug-bounty/
- Samsung – https://samsungtvbounty.com/
- Simple – https://www.simple.com/policies/website-security/
- Tarsnap – https://www.tarsnap.com/bugbounty.html
- Qiwi – https://www.qiwi.ru/page/hack.action
- Qmail – http://cr.yp.to/djbdns/guarantee.html
- Yandex –http://company.yandex.com/security/index.xml
- Zerobrane –http://notebook.kulchenko.com/zerobrane/zerobrane-studio-bug-bounty
Product & Services (Hall Of Fame Only)
- Acquia – https://www.acquia.com/how-report-security-issue
- ActiveProspect –http://activeprospect.com/activeprospect-security/
- Adobe –http://www.adobe.com/support/security/alertus.html
- Amazon.com (retail) – please email details tosecurity@amazon.com
- Android Free Apps –http://www.androidfreeapp.net/security-researcher-acknowledgments/
- Apple – http://support.apple.com/kb/HT1318
- Blackberry –http://us.blackberry.com/business/topics/security/incident-response-team/collaborations.html
- Braintree –https://www.braintreepayments.com/developers/disclosure
- Card – https://www.card.com/responsible-disclosure-policy
- cPaperless –http://www.cpaperless.com/securitystatement.aspx
- Chargify – https://chargify.com/security/
- DiMartino Entertainment –http://moosikay.dimartinoentertainment.com/site/credits/
- eBay – http://pages.ebay.com/securitycenter
- EVE – http://community.eveonline.com/devblog.asp?a=blog&nbid=2384
- Evernote – http://evernote.com/security/
- Foursquare – https://foursquare.com/about/security
- Freelancer –http://www.freelancer.com/info/vulnerability-submission.php
- Future Of Enforcement –http://futureofenforcement.com/?page_id=695
- Gitlab – http://blog.gitlab.com/responsible-disclosure-policy/
- Gliph – https://gli.ph/s/security.html
- HakSecurity – http://haksecurity.com/special-thanks/
- Harmony – http://get.harmonyapp.com/security/
- Heroku – https://www.heroku.com/policy/security-hall-of-fame
- Iconfinder –http://support.iconfinder.com/customer/portal/articles/1217282-responsible-disclosure-of-security-vulnerabilities
- Kaneva –http://docs.kaneva.com/mediawiki/index.php/Bug_Bounty
- Kayako – https://my.kayako.com/
- Lastpass – https://lastpass.com/support_security.php
- Mahara – https://wiki.mahara.org/index.php
- MailChimp – http://mailchimp.com/about/security-response/
- Microsoft (Online Services) –http://technet.microsoft.com/en-us/security/cc308589
- Netflix –http://support.netflix.com/en/node/6657#gsc.tab=0
- Nokia –http://www.nokia.com/global/security/acknowledgements/
- Nokia Siemens Networks –http://www.nokiasiemensnetworks.com/about-us/responsible-disclosure
- Norada – http://norada.com/crm-software/security_response
- Owncloud – http://owncloud.org/about/security/hall-of-fame/
- Opera – https://bugs.opera.com/wizarddesktop/
- Oracle – http://:oracle.com/technetwork/topics/security
- Puppet Labs –https://puppetlabs.com/security/acknowledgments/
- RedHat –https://access.redhat.com/knowledge/articles/66234
- Risk.io – https://www.risk.io/security
- Security Net – http://www.securitynet.org/security-researcher-acknoledgments/
- Sellfy – https://sellfy.com/security/
- Spotify – https://www.spotify.com/us/about-us/contact/report-security-issues/
- Sprout Social – http://sproutsocial.com/responsible-disclosure-policy
- Telekom – http://www.telekom.com/corporate-responsibility/security/186450
- Thingomatic – http://thingomatic.org/security.html
- 37signals – https://37signals.com/security-response
- Tuenti – http://corporate.tuenti.com/en/dev/hall-of-fame
- Twilio – https://www.twilio.com/docs/security/disclosure
- Twitter – https://twitter.com/about/security
- WizeHive –http://www.wizehive.com/special_thanks.html
- Xmarks – https://buy.xmarks.com/security.php
- Zendesk –http://www.zendesk.com/company/responsible-disclosure-policy
- Zynga – http://company.zynga.com/security/whitehats
Product & Services (No Reward)
- Amazon Web Services (AWS) –http://aws.amazon.com/security/vulnerability-reporting
- Apriva – http://www.apriva.com/security
- Authy – https://www.authy.com/security-issue
- Blackboard – http://www.blackboard.com/footer/security-policy.aspx
- Box – https://www.box.com/about-us/security/
- Cisco –http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html#roosfassv
- Cloudnetz – http://cloudnetz.com/Legal/vulnerability-testing-policy.html
- Contant Contact –http://www.constantcontact.com/about-constant-contact/security/report-vulnerability.jsp
- Coupa – http://trust.coupa.com/home/security/coupa-vulnerability-reporting-policy
- Drupal – https://drupal.org/security-team
- EMC2 – http://www.emc.com/contact-us/contact/product-security-response-center.htm
- Emptrust – http://www.emptrust.com/Security.aspx
- Heroku – https://www.heroku.com/policy/security-hall-of-fame
- HTC – http://www.htc.com/us/terms/product-security/
- Huawei –http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm
- IBM – http://www-03.ibm.com/security/secure-engineering/report.html
- KPN – http://www.kpn.com/Privacy.htm#tabcontent3
- Lievensberg Hospital –http://www.lievensbergziekenhuis.nl/paginas/141-disclaimer.html
- LinkedIn –http://help.linkedin.com/app/answers/detail/a_id/37022
- Lookout – https://www.lookout.com/responsible-disclosure
- Millsap Independent School District –http://www.millsapisd.net/BugReport.cfm
- Modus CSR –http://www.moduscsr.com/security_statement.php
- PagerDuty –http://www.pagerduty.com/security/disclosure/
- Panzura – http://panzura.com/support/panzura-security-policy/
- Pidgin – http://pidgin.im/security/
- Plone –http://plone.org/products/plone/security/advisories
- Pop Group –http://www.popgroupglobal.com/security.php
- Reddit – http://code.reddit.com/wiki/help/whitehat
- Relaso – http://relaso.com/disclosure
- Salesforce –http://www.salesforce.com/company/privacy/security.jsp#vulnerability
- Simplify – http://simplify-llc.com/simplify-security.html
- Skoodat – http://www.skoodat.com/security
- Scorpion Software –http://www.scorpionsoft.com/company/disclosurepolicy/
- Square – https://squareup.com/security/levels
- Symantec – http://www.symantec.com/security/
- Team Unify –http://www.teamunify.com/__corp__/security.php
- Tele2 –http://www.tele2.nl/klantenservice/veiligheid/tele2-en-veiligheid.html
- T-Mobile (Netherlands) – http://www.t-mobile.nl/Global/media/pdf/privacy_statement_juni_2012.pdf
- UPC –http://www.upc.nl/internet/veilig_internet/beveiligingsproblemen/
- Viadeo – http://www.viadeo.com/aide/security/
- Vodafone (Netherlands) –http://over.vodafone.nl/vodafone-nederland/privacy-veiligheid/beveiliging-en-bescherming/wat-doet-vodafone/meld-een-beveilig
- VSR – http://www.vsecurity.com/company/disclosure
- X.commerce – http://www.x.com/security
- Xen –http://www.xen.org/projects/security_vulnerability_process.html
- Ziggo –https://www.ziggo.nl/#klantenservice/internet/risicos-op-internet/meldpunt-beveiligingslekken
No Comment