Bug Bounty Programs#

Reference of public bug-bounty platforms, vendor-direct programs, government / sector programs, and the typical payout + disclosure conventions. Useful for researchers picking a target, program managers running their own, or operators tracking disclosure timelines.

For broader vulnerability work, see Notable CVEs. For hacking techniques, see Hacking.

Major platforms#

Platform

Notes

HackerOne

largest by program count + payouts; “h1c” platform.

Bugcrowd

second-largest commercial.

Intigriti

EU-based.

Synack

vetted-researcher SRT.

YesWeHack

France-EU; gov-friendly.

Cobalt

continuous PT + bounty hybrid.

Open Bug Bounty

non-commercial; XSS-only historic; recently broader.

HackHub

Indian.

ImmuneFi

crypto / smart-contract specific.

Code4rena

crypto smart-contract competitive audits.

Sherlock

crypto smart-contract.

Hats Finance

crypto / DeFi.

Open Zeppelin Defen

der + Code4rena, smart-contract security.

Vendor-direct programs (selected)#

Vendor

Notes

Apple Security

iOS / macOS / Safari; up to $2M for chained zero-click

Bounty

on Lockdown Mode; $250K-$500K typical max-impact tier.

Google VRP

web + Android + Chrome + Cloud + ML; up to ~$30K base, $1M for Pixel TEE chain.

Microsoft Bounty

Azure, Microsoft 365, Edge, Hyper-V, .NET, AI; up to $250K for Hyper-V.

Meta (Facebook)

Facebook + Instagram + WhatsApp + Quest; $40K for AI prompt-injection.

Mozilla

Firefox + Thunderbird; up to $10K for SBC (sandbox bypass).

Samsung Mobile

Galaxy device exploits; tier-based.

Intel Bug Bounty

side-channel + hardware focus.

AMD

hardware + microcode.

NVIDIA

drivers + GPU.

GitHub Bug Bounty

GitHub.com, GitHub Actions, GitHub Apps.

GitLab

GitLab + Pages + CI.

Cloudflare

Cloudflare services; up to $100K for control-plane.

Tesla

vehicles + APIs; large payouts for vehicle-control bugs.

Anthropic

Claude API + AI safety.

OpenAI

ChatGPT + API + plugins.

Stripe

payments; high-bar but well-paid.

Shopify

storefront + admin.

PayPal

payments.

Zoom

conferencing.

Slack

slack platform.

Discord

client + APIs.

Atlassian Salesforce

Jira / Confluence / Bitbucket.

Adobe

ColdFusion + Magento + Creative.

Sony PlayStation Microsoft Xbox

console + PSN.

Riot Games

gaming.

EA Bounty

gaming.

Valve

Steam + games.

Government programs#

Program

Notes

US DoD VDP

Vulnerability Disclosure Program; broad DoD attack surface; via HackerOne.

US DoD Hack the

“Hack the Pentagon”, “Hack the Army”, “Hack the Air

Pentagon

Force”, “Hack the Marine Corps”; periodic challenges.

US CISA / KEV

agency-wide VDP requirement (BOD 20-01).

US GSA Bounty

GSA platform.

EU Bug Bounties

EU-FOSSA programmes; Open Source Security.

Singapore Cyber Security Agency

Government VDP.

UK NCSC Vuln. Reporting

coordinated disclosure pathway.

Canada Communicatio

ns Security Establishment Canadian gov VDP.

Netherlands Algemen

e Inlichtingen-en Veiligheidsdienst (AIVD) Dutch.

Singapore Govt

Bug bounty program (over HackerOne).

Crypto / Web3 (high-bounty space)#

Program

Notes

Wormhole / Optimism / Aave / Compound / Uniswap / MakerDAO / Polygon / Solana / Chainlink / Lido

Smart-contract bounties commonly at $1M-$10M for protocol-level bugs.

Ethereum Foundation

$250K base; chained-bug payouts higher.

Polkadot Web3 Foundation, Solana Foundation

Layer-1 foundation programs.

Coinbase

$1M for HSM key-extraction.

Binance, Kraken, OKX

Exchanges.

Disclosure norms#

Norm

Notes

Coordinated

report → ack → fix → disclose; the standard since

Disclosure

the early 2000s.

90-day

Google Project Zero default (90 + 14-day grace).

60-day

Cisco Talos default.

30-day for actively

-exploited or trivial issues.

Full Disclosure

skips the vendor; rare in modern practice; legitimate when the vendor refuses to fix.

Responsible Disclosure

older term for coordinated; some still prefer.

Embargo

multi-vendor coordinated release date (Specter, Heartbleed, Log4Shell).

CVE / VINCE / CERT/CC#

  • CVE Numbering Authorities (CNA), can assign CVE IDs; major vendors are usually CNAs; MITRE is the root.

  • VINCE (CERT/CC), coordinated-disclosure platform from Carnegie Mellon SEI.

  • CERT/CC, ~30 day vendor-notification practice.

  • NIST NVD, post-publication enrichment (CVSS, CWE, CPE).

Operator notes#

  • Scope first, programs publish strict in-scope / out-of-scope lists; out-of-scope research can mean rejection + (in extreme cases) legal exposure.

  • Safe-harbor language, DOJ 2022 policy; CFAA enforcement guidance against good-faith research; check the program’s legal terms.

  • Duplicates, if a critical bug is discovered, expect parallel discovery; first valid report typically wins.

  • Disclosure timeline, pre-fix disclosure (even on a bounty page) can void payment + provoke legal action.

  • Attribution, many researchers publish writeups after disclosure; useful for both technique-learning and pivoting in attribution work.

  • Government VDPs, US BOD 20-01 mandates VDP for federal civilian agencies; EU follows suit under NIS2 + CRA.

  • Smart-contract bounties, highest payouts in the industry; ImmuneFi + Code4rena pay regularly into the $1M+ range.

  • Avoid extortion, the line between reporting + extortion is enforced; “pay or I publish” is illegal and ends careers.

References#