Bug Bounty Programs#
Reference of public bug-bounty platforms, vendor-direct programs, government / sector programs, and the typical payout + disclosure conventions. Useful for researchers picking a target, program managers running their own, or operators tracking disclosure timelines.
For broader vulnerability work, see Notable CVEs. For hacking techniques, see Hacking.
Major platforms#
Platform |
Notes |
|---|---|
HackerOne |
largest by program count + payouts; “h1c” platform. |
Bugcrowd |
second-largest commercial. |
Intigriti |
EU-based. |
Synack |
vetted-researcher SRT. |
YesWeHack |
France-EU; gov-friendly. |
Cobalt |
continuous PT + bounty hybrid. |
Open Bug Bounty |
non-commercial; XSS-only historic; recently broader. |
HackHub |
Indian. |
ImmuneFi |
crypto / smart-contract specific. |
Code4rena |
crypto smart-contract competitive audits. |
Sherlock |
crypto smart-contract. |
Hats Finance |
crypto / DeFi. |
Open Zeppelin Defen |
der + Code4rena, smart-contract security. |
Vendor-direct programs (selected)#
Vendor |
Notes |
|---|---|
Apple Security |
iOS / macOS / Safari; up to $2M for chained zero-click |
Bounty |
on Lockdown Mode; $250K-$500K typical max-impact tier. |
Google VRP |
web + Android + Chrome + Cloud + ML; up to ~$30K base, $1M for Pixel TEE chain. |
Microsoft Bounty |
Azure, Microsoft 365, Edge, Hyper-V, .NET, AI; up to $250K for Hyper-V. |
Meta (Facebook) |
Facebook + Instagram + WhatsApp + Quest; $40K for AI prompt-injection. |
Mozilla |
Firefox + Thunderbird; up to $10K for SBC (sandbox bypass). |
Samsung Mobile |
Galaxy device exploits; tier-based. |
Intel Bug Bounty |
side-channel + hardware focus. |
AMD |
hardware + microcode. |
NVIDIA |
drivers + GPU. |
GitHub Bug Bounty |
GitHub.com, GitHub Actions, GitHub Apps. |
GitLab |
GitLab + Pages + CI. |
Cloudflare |
Cloudflare services; up to $100K for control-plane. |
Tesla |
vehicles + APIs; large payouts for vehicle-control bugs. |
Anthropic |
Claude API + AI safety. |
OpenAI |
ChatGPT + API + plugins. |
Stripe |
payments; high-bar but well-paid. |
Shopify |
storefront + admin. |
PayPal |
payments. |
Zoom |
conferencing. |
Slack |
slack platform. |
Discord |
client + APIs. |
Atlassian Salesforce |
Jira / Confluence / Bitbucket. |
Adobe |
ColdFusion + Magento + Creative. |
Sony PlayStation Microsoft Xbox |
console + PSN. |
Riot Games |
gaming. |
EA Bounty |
gaming. |
Valve |
Steam + games. |
Government programs#
Program |
Notes |
|---|---|
US DoD VDP |
Vulnerability Disclosure Program; broad DoD attack surface; via HackerOne. |
US DoD Hack the |
“Hack the Pentagon”, “Hack the Army”, “Hack the Air |
Pentagon |
Force”, “Hack the Marine Corps”; periodic challenges. |
US CISA / KEV |
agency-wide VDP requirement (BOD 20-01). |
US GSA Bounty |
GSA platform. |
EU Bug Bounties |
EU-FOSSA programmes; Open Source Security. |
Singapore Cyber Security Agency |
Government VDP. |
UK NCSC Vuln. Reporting |
coordinated disclosure pathway. |
Canada Communicatio |
ns Security Establishment Canadian gov VDP. |
Netherlands Algemen |
e Inlichtingen-en Veiligheidsdienst (AIVD) Dutch. |
Singapore Govt |
Bug bounty program (over HackerOne). |
Crypto / Web3 (high-bounty space)#
Program |
Notes |
|---|---|
Wormhole / Optimism / Aave / Compound / Uniswap / MakerDAO / Polygon / Solana / Chainlink / Lido |
Smart-contract bounties commonly at $1M-$10M for protocol-level bugs. |
Ethereum Foundation |
$250K base; chained-bug payouts higher. |
Polkadot Web3 Foundation, Solana Foundation |
Layer-1 foundation programs. |
Coinbase |
$1M for HSM key-extraction. |
Binance, Kraken, OKX |
Exchanges. |
Disclosure norms#
Norm |
Notes |
|---|---|
Coordinated |
report → ack → fix → disclose; the standard since |
Disclosure |
the early 2000s. |
90-day |
Google Project Zero default (90 + 14-day grace). |
60-day |
Cisco Talos default. |
30-day for actively |
-exploited or trivial issues. |
Full Disclosure |
skips the vendor; rare in modern practice; legitimate when the vendor refuses to fix. |
Responsible Disclosure |
older term for coordinated; some still prefer. |
Embargo |
multi-vendor coordinated release date (Specter, Heartbleed, Log4Shell). |
CVE / VINCE / CERT/CC#
CVE Numbering Authorities (CNA), can assign CVE IDs; major vendors are usually CNAs; MITRE is the root.
VINCE (CERT/CC), coordinated-disclosure platform from Carnegie Mellon SEI.
CERT/CC, ~30 day vendor-notification practice.
NIST NVD, post-publication enrichment (CVSS, CWE, CPE).
Operator notes#
Scope first, programs publish strict in-scope / out-of-scope lists; out-of-scope research can mean rejection + (in extreme cases) legal exposure.
Safe-harbor language, DOJ 2022 policy; CFAA enforcement guidance against good-faith research; check the program’s legal terms.
Duplicates, if a critical bug is discovered, expect parallel discovery; first valid report typically wins.
Disclosure timeline, pre-fix disclosure (even on a bounty page) can void payment + provoke legal action.
Attribution, many researchers publish writeups after disclosure; useful for both technique-learning and pivoting in attribution work.
Government VDPs, US BOD 20-01 mandates VDP for federal civilian agencies; EU follows suit under NIS2 + CRA.
Smart-contract bounties, highest payouts in the industry; ImmuneFi + Code4rena pay regularly into the $1M+ range.
Avoid extortion, the line between reporting + extortion is enforced; “pay or I publish” is illegal and ends careers.
References#
Bugcrowd VRT, crowd-tested vulnerability rating taxonomy.