Bug Bounty Programs part 1

This article is first part of a 4 series of articles that will analyze the present and the future of Bug Bounty Programs. It’s a point of view regarding improvement of online security for companies that run or want to run Bug Bounty Programs.


It all started a long time ago. We don’t know who coined the term, but Google made it well-known when they launch their Bug Bounty Program in order to get more secure. Google were inspired by Mozilla’s Bug Bounty Program.

After that, big companies like Facebook, PayPal, Yandex, Mozilla, Etsy, Barracuda and others, realised how important Bug Bounty Programs are for their products and started implementing them as well.

The advantages for both sides, companies that run BBPs and security professionals are clear. Companies patch their flaws/vulnerabilities, while security specialists get paid for it.

And so Bug Bounty Programs became a trend in the InfoSec industry. Moreover, BBPs resolve security issues and bring fame to security specialists. The programs are also a powerful tool for marketing in the InfoSec industry. The most recent one is Mega’s BBP, which just launched on February 1st 2013 by Kim Dotcom

with the prize of 10.000 Euro.

We have put together a list of the most notable Bug Bounty Programs that run for money. If you think we missed a company that runs a Bug Bounty Program for cash, just let us know, and I will be added to the list.

We don’t believe you should do it for free and that’s why we won’t mention those companies that run BBPs without paying cash. The following post shows you why you shouldn’t be doing it for free better: No More Free Bugs.

You can watch this nice video presentation about BBPs given by world wide recognized InfoSec guys.

Bug Bounty Programs – Michael Coates, Chris Evans, Jeremiah Grossman, Adam Mein, Alex Rice from OWASP AppSec USA on Vimeo.

Bug Bounty Programs advantages:

  • Looking at Google, Facebook, Mozilla etc, it has been proven that using the power of the crowd to find and patch vulnerabilities is a fast, good way to secure your server/web application.
  • Helps you better manage your security budget by paying only valid vulnerabilities and not by hour.
  • Bug Bounty Programs represent a very good marketing tool for companies that run such programs as well for the bug hunters.
  • Participating in such programs as a security professional, you’ll get continuous security training and it will strengthen your personal branding within the InfoSec industry.

BBPs doesn’t come cheap and you need some good reliable infrastructure (specialized personnel included) in order to run such contests on your own as a company. Seeing an opportunity on BBPs some entrepreneurs started to offer “Bug Bounty Program as a Service” and make BBP more affordable to companies that need security assessment.

About Bug Bounty Program as a Service we’ll talk in the next article. Any questions we would gladly answer.

Stay secure while having fun. :-)

Follow Us on Twitter for more updates

Article written by

Marius is the man with the idea behind Hack a Server, a platform designed for conducting manual penetration tests using the power of crowdsourcing, covered by anonymity and confidentiality. He considers himself a serial entrepreneur and is very passionate about Artificial Intelligence.

9 responses to “Bug Bounty Programs part 1”

  1. 6ix IT

    Crowdsourced security could be a good way to spread this “BBP” concept.

    More to come from 6ix IT very soon ;)

  2. caseyjohnellis

    I look forward to seeing what you have to say about the entrepreneurs


  3. v3nd3tta

    Just to let you know of some more I know of Bugcrowd.com. They email the occasional bug bounty but they are limited time bounties.

    I think they might be based in the US but as I am in the UK I am normally late to see the emails :(

  4. Bug Bounty Program as a Service | The HackaServer Blog

    […] This is the second part from a 4 miniseries articles regarding Bug Bounty Programs. Previously we’ve talked about what BBPs are, what companies run such programs and how they can help your company. You can read first part HERE. […]

  5. Where to report security bugs and bug bounty rules ?

    […] List of Bug Bounty Programs >> Bug Bounty Programs | The HackaServer Blog and List of Bug Bounty Programs as a Service >> Bug Bounty Program as a Service | The […]

  6. Bug Bounty Programs | The HackaServer Blog

    […] aspects and the trend of crowdsourcing information security. We talked about companies that run Bug Bounty Programs, about companies that run BBPs as a Service and BBPs as a Platform and the difference between […]

Leave a Reply