Bug Bounty programs – the concept of rewarding security researchers for finding and responsibly disclosing vulnerabilities – has become a major part of modern security practice. Researchers now commonly register with vulnerability disclosure and bug bounty coordination specialists such HackerOne, Synack and Bugcrowd in their thousands.
The bug bounty market has slowly seen the sums of money on offer for finding and responsibly disclosing vulnerabilities increase over the last few years. However, earlier this year, and for the first time ever, Apple revealed that it would be prepared to pay a sum of up to $1m for the successful discovery and disclosure of a certain vulnerability: a zero-click, full-chain kernel-code-execution attack. That huge bounty eclipsed the maximum amount previously available, which was $200,000.
Taking into account the monumental amounts of money now up for grabs as part of bug bounty programs, Infosecurity has compiled a list of the most notable and sizeable bug bounty payments to date.
1 - Oath: $400,000
Oath, which owns Yahoo!, AOL and Tumblr, paid over $400,000 to various HackerOne researchers for discovering multiple bugs in 2018.
Source: Immuniweb
2 - Microsoft: $200,000
Columbia University PhD student Vasilis Pappas received $200,000 in 2012 for a Return-Oriented Programming problem.
Source: PC Mag
3 - US Department of Defense: $130,000
In 2018, the US Department of Defense bug bounty program Hack the Air Force saw more than $130,000 awarded.
Source: HackerOne
4 - Google: $112,500
Researcher Guang Gong was awarded $112,500 by Google for disclosing a remote attack on Google’s Pixel Phone.
Source: Business Insider
5 - Intel: $100,000
Vladimir Kiriansky and Carl Waldspurger received a $100,000 payment from Intel for a processor vulnerability that was “closely related” to Spectre.
Source: IT News
6 - Microsoft: $100,000
British security researcher James Forshaw was paid $100,000 in 2013 for finding a major security flaw within Windows 8.1.
Source: Microsoft
7 - US Department of Defense: $100,000
The US Department of Defense paid out over $100,000 as part of the Hack the Army program in October 2019.
Source : HackerOne
8 - Facebook: $40,000
Russian security researcher Andrew Leonov was awarded $40,000 by Facebook for discovering a security flaw in third-party security software.
Source : PC Mag
9 - Google: $36,000
Nineteen-year-old Ezequiel Pereira from Uruguay received $36,000 for discovering a Remote Code Execution bug in Google’s Cloud Platform console.
Source: PC Mag
10 - United Airlines: One Million Air Miles
Rather than pay money, United Airlines gave one million air miles to researcher Olivier Beg in 2016.
Source: The Register