Bug bounty programs set up by software companies that incentivize white-hat hackers, developers, and engineers alike to identify and report bugs in a specified software. Many large tech companies like Google, Microsoft, Facebook, Atlassian, and others host these programs to ensure that their code is secure. If a developer manages to identify and report a noteworthy bug, they’re often entitled to compensation that varies depending on the bug bounty program and the magnitude of the vulnerability you discover.
Before you start wandering through cyberspace searching for bugs to report, you first need to know which bug bounty program fits your expertise and expectations.
Every bug hunter needs the best tools to find their bounty. GitKraken Client provides enhanced visibility so you can see exactly what’s going on in your codebase, bugs and all.🪲
How to Find Bug Bounty Programs
If you’re looking to find which is the right bug bounty program for you, it’s important to know what you want out of it. Do you want to go after the highest possible cash reward, the recognition and press that comes from identifying a bug for a big-name company, or do you want to find a program that will send money to a charity? These are the kinds of questions you need to consider when picking the best bug bounty program.
Aside from typing a company’s name into a search engine to see if they have a bug bounty program, you can also search HackerOne and Bugcrowd. These sites host a variety of bug bounty programs and do a good job of publicly displaying information like average payout, how quickly you can expect a response from the company, and more. These sites provide information for thousands of bug bounty programs, so there’s no shortage of code to be audited or bugs to find.
This article evaluates the top ten bug bounty programs based on the following criteria: payout, required experience, and recent history. We’ll also provide a brief summary of the scope of the program and provide a link to the program so you can get started.
Apple: Best Payout for Critical Bug Reports
Google: Best for Advanced Bug Bounty Hunters
Microsoft: Best Average Bounty Payout
Intel: Best Promotion Opportunity
GitHub: Best for Beginner Bug Hunters
Atlassian: Best for Intermediate Bug Hunters
US Department of Defense: Best for Bragging Rights
Uber: Best for Small Bug Reports
Snapchat: Best for Consistent Bounty Payouts
1. Apple Bug Bounty Program: Best Payout for Critical Bug Reports
Payout: Small Bug: $5,000 | Critical Bug: $25,000-$250,000+
Experience Level: Intermediate-Advanced
Recent History: $3.7 million awarded for qualifying vulnerabilities submitted in 2020
The Apple bug bounty program has some serious cash incentives. With that being said, past participants of this program have expressed dissatisfaction with the payout they received for bugs they felt qualified for greater compensation. In recent years, however, Apple has responded to that criticism extremely well and has committed to providing top-tier rewards for qualifying submissions.
If you choose to give the Apple bug bounty program a shot, we suggest you ensure the bug is reproducible and make your case for how much compensation you think the bug qualifies for in your initial report.
2. Google Bug Bounty Program: Best for Advanced Bug Hunters
Payout: Small Bug: $500 | Critical Bug: Not set
Experience Level: Intermediate-Advanced
Recent History: 696 qualifying submissions in 2021 resulting in $8.7M awarded
Competition is steep for Google’s bug bounty program, and they’ve set a high bar for what vulnerabilities qualify for compensation. That said, Google’s program has no payout limit for critical bugs. The scope of the program mainly includes google.com domains, youtube.com domains, as well as a few smaller domains identified in the program documentation.
The highest payouts in the Google bug bounty program are available to developers that identify vulnerabilities that could give bad actors direct access to Google servers, so if you’re looking to “bag the big one,” that’s a good place to start.
3. Microsoft Bug Bounty Program: Best Average Bounty Payout
Payout: $5,000-$250,000 | Avg: $12,000
Experience Level: Advanced
Recent History: $13.7 million awarded for qualifying vulnerabilities submitted in 2021
The scope of the Microsoft bug bounty program is limited to its online platforms and is not for the faint of heart. You’ll find that some of the best bug bounty hunters participate in this program because of the extremely high payout ceiling of $250,000. Microsoft is known for generously compensating bug finders, and has made it a point to consistently invest in this program.
Developers that submit a qualifying report may choose to donate their earnings to a charity of choice. If you choose this option, Microsoft will double the prize money, making it a compelling incentive for some.
4. Facebook Bug Bounty Program: Best Community
Payout: Small Bug: $500 | Critical Bug: Not set
Experience Level: Beginner-Advanced
Recent History: $1.98M awarded for qualifying vulnerabilities submitted in 2020 | 800 qualifying vulnerability reports in 2021
Facebook’s bug bounty program is heavily integrated with its core infrastructure. This means that all the information pertaining to the program including rules, scope, and payment information can only be found on the Facebook platform itself. Some developers find it bothersome to navigate Facebook’s site to gather this information, but if you’re familiar enough with the platform, it’s not overly complex.
One major benefit to Facebook’s bug bounty info being hosted on the platform is that it’s easy to connect with the community of bug hunters that regularly contribute.
5. Intel Bug Bounty Program: Best Promotion Opportunity
Payout: Small Bug: $500-$2,000 | Critical Bug: $10,000-$100,000
Experience Level: Intermediate-Advanced
Recent History: 97 qualifying vulnerabilities submitted in 2021
Intel’s bug bounty program not only offers generous payouts to bug hunters that identify qualifying issues, it also invites the participants who submit the top 10 most critical submissions to speak at iSecCon. The publicity that a developer can receive for finding a “big bug” at Intel is enough to entice some of the most experienced bug hunters around.
6. GitHub Bug Bounty Program: Best for Beginner Bug Hunters
Payout: Small Bug: $617-$2,000 | Critical Bug: $20,000-$30,000+ | Avg: $3,420
Experience Level: Beginner-Advanced
Recent History: 235 qualifying vulnerabilities submitted in 2021 out of 1,363 submissions
GitHub’s bug bounty program includes a leaderboard featuring the participants who have identified the most bugs. All github.com domains are within the scope of this program with only a few exceptions detailed in the rules.
This bug bounty program is continuing to increase in popularity year over year. In fact, in 2021, GitHub’s bug bounty program saw an 18% increase in first-time reporters. GitHub’s bug bounty program is great for developers at any experience level. Many first-time bug hunters choose to start with this program because of fair payouts, community involvement, and a clearly defined scope.
7. Atlassian Bug Bounty Program: Best for Intermediate Bug Hunters
Payout: Small Bug: $200-$1,000 | Critical Bug: $5,000-$10,000+ | Avg: $914.87
Experience Level: Intermediate
Recent History: 5-10 qualifying vulnerabilities submitted each month in 2022
If you’re familiar with and use Atlassian products, you may want to consider the Atlassian bug bounty program. It’s important to note that Atlassian is looking for vulnerabilities related to data leakage, SQL injection, external attacks, path traversal issues, etc. Essentially Atlassian’s bug bounty program isn’t the place to make feature requests or submit reports of a tool not working as expected.
Atlassian’s bug bounty program is run through Bugcrowd, and its main page features a “hall of famers” list, average payout from the most recent 90-day period, how quickly you can expect to hear back about a bug you’ve reported, and more information. With an average payout of nearly $1,000, this is an enticing program for a more seasoned bug hunter.
8. US DOD Bug Bounty Program: Best for Bragging Rights
Payout: $500-$5,000
Experience Level: Advanced
Recent History: Between July 4th, 2022 – July 11th, 2022 1,015 reports were submitted, 401 of which were qualifying vulnerabilities
The Department of Defense periodically hosts bug bounty programs. Be forewarned, there are only certain parts of the year that a monetary incentive is offered for this program, so make sure you thoroughly review the website and rules before submitting a bug. Even so, many developers contribute to this program without regard for compensation. Think of the bragging rights; can you imagine if you could say: “I saved the government from exposing classified information”
If you participate in the Department of Defense bug bounty programs while a cash incentive is offered, you will want to start bug hunting as early into the qualifying dates as possible. The program has a limited budget, and as soon as the budget runs out, they stop paying people, even if they would have originally qualified for compensation.
US Department of Defense Vulnerability Disclosure Program
9. Uber Bug Bounty Program: Best for Small Bug Reports
Payout: Small Bug: $100-$1,000 | Critical Bug: $3,500-$50,000 | Avg: $625
Experience Level: Beginner-Advanced
Recent History: Avg of 600 bugs submitted each year
The Uber bug bounty program focuses on securing customer and employee data. Run through Hackerone, this program isn’t known for high payouts, but it is known for fairly compensating small bug reports. With nearly 2,000 bugs resolved since the program’s inception, many find that it’s a good project to collect frequent, smaller rewards from.
10. Snapchat Bug Bounty Program: Best for Consistent Payouts
Payout: Small Bug: $500-$4,000 | Critical Bug: $15,000-$35,000 | Avg: $250
Experience Level: Beginner-Intermediate
Recent History: 52 qualifying vulnerabilities submitted between Apr 2021-Apr 2022
The average payout for Snapchat’s bug bounty program isn’t as comprehensive as some of the other programs covered in this article, but there’s one key factor to consider before writing this program off.
Of the vulnerabilities submitted, nearly 90% of them qualified for compensation. So while this program certainly won’t make you rich with a single bug report, it’s an excellent choice for the beginner or intermediate bug hunter.
Bug Bounty Program FAQ
Q: What is bug bounty?
A: Bug bounty refers to the reward, usually cash or cash equivalent, given to an individual that identifies and reports a bug to a participating company.
Q: How can I become a bug bounty hunter?
A: A bug bounty hunter is simply someone that searches for code vulnerabilities. To start receiving compensation for your bug finding efforts, you must follow specified bug bounty program rules set by a participating company.
Happy Bug Hunting 🪲
Now that you’re armed with knowledge of the top 10 bug bounty programs for developers, it’s time to identify the program that best meets your requirements. It will likely take some time before you’re able to identify a qualifying vulnerability, but don’t give up. There are bugs lurking in codebases everywhere and the companies and customers they serve are counting on developers like you to identify and destroy them. Happy bug hunting!
If you need some legendary Git tools to catch your bugs, look no further than GitKraken: check out GitKraken Client, GitLens for VS Code, and Git Integration for Jira.