Bug Bounty Web List

What is the Bug Bounty Program?

Bug Bounty program provides recognition and compensation to security researchers practising responsible disclosure. Company started Bug Bounty programs for improve their security, Cyber security researchers are finding vulnerabilities on top websites and get rewarded.

Reward Programs

  • AT&T – http://developer.att.com/developer/apiDetailPage.jsp?passedItemId=10700235
    (To submit you need to sign up to the free Developer API program)
  • Avast! – http://www.avast.com/bug-bounty
  • Barracuda – http://barracudalabs.com/
  • Coinbase – https://coinbase.com/whitehat
  • Chromium Project – http://www.chromium.org/
  • CrowdShield – https://crowdshield.com/
  • Cryptocat – https://crypto.cat/bughunt/
  • Facebook – http://www.facebook.com/whitehat/
  • Etsy – http://www.etsy.com/help/article/2463
  • Gallery – http://codex.gallery2.org/Bounties
  • Ghostscript – http://ghostscript.com/Bug_bounty_program.html (Mostly software development, occasional security issues)
  • Google – http://www.google.com/about/company/rewardprogram.html
  • Hex-Rays – http://www.hex-rays.com/bugbounty.shtml
  • IntegraXor (SCADA) – http://www.integraxor.com/blog/integraxor-hmi-scada-bug-bounty-program
  • LaunchKey – https://launchkey.com/docs/whitehat
  • Marktplaats – http://statisch.marktplaats.nl/help/
  • Mega.co.nz – http://thenextweb.com/insider/2013/02/01/kim-dotcom-puts-up-13500-bounty-for-first-person-to-break-megas-security-system/
  • Meraki – http://www.meraki.com/trust/#srp
  • Microsoft – http://www.microsoft.com/security/msrc/report
  • Mozilla – http://www.mozilla.org/security/bug-bounty.html
  • Paypal – https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues
  • PikaPay – https://www.pikapay.com/pikapay-security-policy/
  • Piwik – http://piwik.org/security/
  • Ricebridge – http://www.ricebridge.com/bugs.htm (Only available to customers)
  • Ripple – https://ripple.com/bug-bounty/
  • Samsung – https://samsungtvbounty.com/
  • Simple – https://www.simple.com/policies/website-security/
  • Tarsnap – https://www.tarsnap.com/bugbounty.html
  • Qiwi – https://www.qiwi.ru/page/hack.action
  • Qmail – http://cr.yp.to/djbdns/guarantee.html
  • Yandex – http://company.yandex.com/security/index.xml
  • Zerobrane – http://notebook.kulchenko.com/zerobrane/zerobrane-studio-bug-bounty

Product & Services (Hall Of Fame Only)

  • Acquia – https://www.acquia.com/how-report-security-issue
  • ActiveProspect – http://activeprospect.com/activeprospect-security/
  • Adobe – http://www.adobe.com/support/security/alertus.html
  • Amazon.com (retail) – please email details to [email protected]
  • Android Free Apps – http://www.androidfreeapp.net/security-researcher-acknowledgments/
  • Apple – http://support.apple.com/kb/HT1318
  • Blackberry – http://us.blackberry.com/business/topics/security/incident-response-team/collaborations.html
  • Braintree – https://www.braintreepayments.com/developers/disclosure
  • Card – https://www.card.com/responsible-disclosure-policy
  • cPaperless – http://www.cpaperless.com/securitystatement.aspx
  • Chargify – https://chargify.com/security/
  • DiMartino Entertainment – http://moosikay.dimartinoentertainment.com/site/credits/
  • eBay – http://pages.ebay.com/securitycenter
  • EVE – http://community.eveonline.com/devblog.asp?a=blog&nbid=2384
  • Evernote – http://evernote.com/security/
  • Foursquare – https://foursquare.com/about/security
  • Freelancer – http://www.freelancer.com/info/vulnerability-submission.php
  • Future Of Enforcement – http://futureofenforcement.com/?page_id=695
  • Gitlab – http://blog.gitlab.com/responsible-disclosure-policy/
  • Gliph – https://gli.ph/s/security.html
  • HakSecurity – http://haksecurity.com/special-thanks/
  • Harmony – http://get.harmonyapp.com/security/
  • Heroku – https://www.heroku.com/policy/security-hall-of-fame
  • Iconfinder – http://support.iconfinder.com/customer/portal/articles/1217282-responsible-disclosure-of-security-vulnerabilities
  • Kaneva – http://docs.kaneva.com/mediawiki/index.php/Bug_Bounty
  • Kayako – https://my.kayako.com/
  • Lastpass – https://lastpass.com/support_security.php
  • Mahara – https://wiki.mahara.org/index.php
  • MailChimp – http://mailchimp.com/about/security-response/
  • Microsoft (Online Services) – http://technet.microsoft.com/en-us/security/cc308589
  • Netflix – http://support.netflix.com/en/node/6657#gsc.tab=0
  • Nokia – http://www.nokia.com/global/security/acknowledgements/
  • Nokia Siemens Networks – http://www.nokiasiemensnetworks.com/about-us/responsible-disclosure
  • Norada – http://norada.com/crm-software/security_response
  • Owncloud – http://owncloud.org/about/security/hall-of-fame/
  • Opera – https://bugs.opera.com/wizarddesktop/
  • Oracle – http://:oracle.com/technetwork/topics/security
  • Puppet Labs – https://puppetlabs.com/security/acknowledgments/
  • RedHat – https://access.redhat.com/knowledge/articles/66234
  • Risk.io – https://www.risk.io/security
  • Security Net – http://www.securitynet.org/security-researcher-acknoledgments/
  • Sellfy – https://sellfy.com/security/
  • Spotify – https://www.spotify.com/us/about-us/contact/report-security-issues/
  • Sprout Social – http://sproutsocial.com/responsible-disclosure-policy
  • Telekom – http://www.telekom.com/corporate-responsibility/security/186450
  • Thingomatic – http://thingomatic.org/security.html
  • 37signals – https://37signals.com/security-response
  • Tuenti – http://corporate.tuenti.com/en/dev/hall-of-fame
  • Twilio – https://www.twilio.com/docs/security/disclosure
  • Twitter – https://twitter.com/about/security
  • WizeHive – http://www.wizehive.com/special_thanks.html
  • Xmarks – https://buy.xmarks.com/security.php
  • Zendesk – http://www.zendesk.com/company/responsible-disclosure-policy
  • Zynga – http://company.zynga.com/security/whitehats

Product & Services (No Reward)

  • Amazon Web Services (AWS) – http://aws.amazon.com/security/vulnerability-reporting
  • Apriva – http://www.apriva.com/security
  • Authy – https://www.authy.com/security-issue
  • Blackboard – http://www.blackboard.com/footer/security-policy.aspx
  • Box – https://www.box.com/about-us/security/
  • Cisco – http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
  • Cloudnetz – http://cloudnetz.com/Legal/vulnerability-testing-policy.html
  • Contant Contact – http://www.constantcontact.com/about-constant-contact/security/report-vulnerability.jsp
  • Coupa – http://trust.coupa.com/home/security/coupa-vulnerability-reporting-policy
  • Drupal – https://drupal.org/security-team
  • EMC2 – http://www.emc.com/contact-us/contact/product-security-response-center.htm
  • Emptrust – http://www.emptrust.com/Security.aspx
  • Heroku – https://www.heroku.com/policy/security-hall-of-fame
  • HTC – http://www.htc.com/us/terms/product-security/
  • Huawei – http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm
  • IBM – http://www-03.ibm.com/security/secure-engineering/report.html
  • KPN – http://www.kpn.com/Privacy.htm#tabcontent3
  • Lievensberg Hospital – http://www.lievensbergziekenhuis.nl/paginas/141-disclaimer.html
  • LinkedIn – http://help.linkedin.com/app/answers/detail/a_id/37022
  • Lookout – https://www.lookout.com/responsible-disclosure
  • Millsap Independent School District – http://www.millsapisd.net/BugReport.cfm
  • Modus CSR – http://www.moduscsr.com/security_statement.php
  • PagerDuty – http://www.pagerduty.com/security/disclosure/
  • Panzura – http://panzura.com/support/panzura-security-policy/
  • Pidgin – http://pidgin.im/security/
  • Plone – http://plone.org/products/plone/security/advisories
  • Pop Group – http://www.popgroupglobal.com/security.php
  • Reddit – http://code.reddit.com/wiki/help/whitehat
  • Relaso – http://relaso.com/disclosure
  • Salesforce – http://www.salesforce.com/company/privacy/security.jsp#vulnerability
  • Simplify – http://simplify-llc.com/simplify-security.html
  • Skoodat – http://www.skoodat.com/security
  • Scorpion Software – http://www.scorpionsoft.com/company/disclosurepolicy/
  • Square – https://squareup.com/security/levels
  • Symantec – http://www.symantec.com/security/
  • Team Unify – http://www.teamunify.com/__corp__/security.php
  • Tele2 – http://www.tele2.nl/klantenservice/veiligheid/tele2-en-veiligheid.html
  • T-Mobile (Netherlands) – http://www.t-mobile.nl/Global/media/pdf/privacy_statement_juni_2012.pdf
  • UPC – http://www.upc.nl/internet/veilig_internet/beveiligingsproblemen/
  • Viadeo – http://www.viadeo.com/aide/security/
  • Vodafone (Netherlands) – http://over.vodafone.nl/vodafone-nederland/privacy-veiligheid/beveiliging-en-bescherming/wat-doet-vodafone/meld-een-beveilig
  • VSR – http://www.vsecurity.com/company/disclosure
  • X.commerce – http://www.x.com/security
  • Xen – http://www.xen.org/projects/security_vulnerability_process.html
  • Ziggo – https://www.ziggo.nl/#klantenservice/internet/risicos-op-internet/meldpunt-beveiligingslekken