Bug Bounty Web List

What is the Bug Bounty Program?

Bug Bounty program provides recognition and compensation to security researchers practicing responsible disclosure. Company started Bug Bounty programs for improve their security, Cyber security researchers are finding vulnerabilities on top websites and get rewarded.

Here are following Bug Bounty Web List.

Reward Programs

  • AT&T – http://developer.att.com/developer/apiDetailPage.jsp?passedItemId=10700235
    (To submit you need to sign up to the free Developer API program)
  • Avast! – http://www.avast.com/bug-bounty
  • Barracuda – http://barracudalabs.com/
  • Coinbase – https://coinbase.com/whitehat
  • Chromium Project – http://www.chromium.org/
  • CrowdShield – https://crowdshield.com/
  • Cryptocat – https://crypto.cat/bughunt/
  • Facebook – http://www.facebook.com/whitehat/
  • Etsy – http://www.etsy.com/help/article/2463
  • Gallery – http://codex.gallery2.org/Bounties
  • Ghostscript – http://ghostscript.com/Bug_bounty_program.html (Mostly software development, occasional security issues)
  • Google – http://www.google.com/about/company/rewardprogram.html
  • Hex-Rays – http://www.hex-rays.com/bugbounty.shtml
  • IntegraXor (SCADA) – http://www.integraxor.com/blog/integraxor-hmi-scada-bug-bounty-program
  • LaunchKey – https://launchkey.com/docs/whitehat
  • LiveAgent – https://www.ladesk.com/bug-bounty-program/
  • Marktplaats – http://statisch.marktplaats.nl/help/
  • Mega.co.nz – http://thenextweb.com/insider/2013/02/01/kim-dotcom-puts-up-13500-bounty-for-first-person-to-break-megas-security-system/
  • Meraki – http://www.meraki.com/trust/#srp
  • Microsoft – http://www.microsoft.com/security/msrc/report
  • Mozilla – http://www.mozilla.org/security/bug-bounty.html
  • Paypal – https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues
  • PikaPay – https://www.pikapay.com/pikapay-security-policy/
  • Piwik – http://piwik.org/security/
  • Post Affiliate Pro – https://www.postaffiliatepro.com/post-affiliate-pro-bug-bounty-program
  • Ricebridge – http://www.ricebridge.com/bugs.htm (Only available to customers)
  • Ripple – https://ripple.com/bug-bounty/
  • Samsung – https://samsungtvbounty.com/
  • Simple – https://www.simple.com/policies/website-security/
  • Tarsnap – https://www.tarsnap.com/bugbounty.html
  • Qiwi – https://www.qiwi.ru/page/hack.action
  • Qmail – http://cr.yp.to/djbdns/guarantee.html
  • Yandex – http://company.yandex.com/security/index.xml
  • Zerobrane – http://notebook.kulchenko.com/zerobrane/zerobrane-studio-bug-bounty

Product & Services (Hall Of Fame Only)

  • Acquia – https://www.acquia.com/how-report-security-issue
  • ActiveProspect – http://activeprospect.com/activeprospect-security/
  • Adobe – http://www.adobe.com/support/security/alertus.html
  • Amazon.com (retail) – please email details to [email protected]
  • Android Free Apps – http://www.androidfreeapp.net/security-researcher-acknowledgments/
  • Apple – http://support.apple.com/kb/HT1318
  • Blackberry – http://us.blackberry.com/business/topics/security/incident-response-team/collaborations.html
  • Braintree – https://www.braintreepayments.com/developers/disclosure
  • Card – https://www.card.com/responsible-disclosure-policy
  • cPaperless – http://www.cpaperless.com/securitystatement.aspx
  • Chargify – https://chargify.com/security/
  • DiMartino Entertainment – http://moosikay.dimartinoentertainment.com/site/credits/
  • eBay – http://pages.ebay.com/securitycenter
  • EVE – http://community.eveonline.com/devblog.asp?a=blog&nbid=2384
  • Evernote – http://evernote.com/security/
  • Foursquare – https://foursquare.com/about/security
  • Freelancer – http://www.freelancer.com/info/vulnerability-submission.php
  • Future Of Enforcement – http://futureofenforcement.com/?page_id=695
  • Gitlab – http://blog.gitlab.com/responsible-disclosure-policy/
  • Gliph – https://gli.ph/s/security.html
  • HakSecurity – http://haksecurity.com/special-thanks/
  • Harmony – http://get.harmonyapp.com/security/
  • Heroku – https://www.heroku.com/policy/security-hall-of-fame
  • Iconfinder – http://support.iconfinder.com/customer/portal/articles/1217282-responsible-disclosure-of-security-vulnerabilities
  • Kaneva – http://docs.kaneva.com/mediawiki/index.php/Bug_Bounty
  • Kayako – https://my.kayako.com/
  • Lastpass – https://lastpass.com/support_security.php
  • Mahara – https://wiki.mahara.org/index.php
  • MailChimp – http://mailchimp.com/about/security-response/
  • Microsoft (Online Services) – http://technet.microsoft.com/en-us/security/cc308589
  • Netflix – http://support.netflix.com/en/node/6657#gsc.tab=0
  • Nokia – http://www.nokia.com/global/security/acknowledgements/
  • Nokia Siemens Networks – http://www.nokiasiemensnetworks.com/about-us/responsible-disclosure
  • Norada – http://norada.com/crm-software/security_response
  • Owncloud – http://owncloud.org/about/security/hall-of-fame/
  • Opera – https://bugs.opera.com/wizarddesktop/
  • Oracle – http://:oracle.com/technetwork/topics/security
  • Puppet Labs – https://puppetlabs.com/security/acknowledgments/
  • RedHat – https://access.redhat.com/knowledge/articles/66234
  • Risk.io – https://www.risk.io/security
  • Security Net – http://www.securitynet.org/security-researcher-acknoledgments/
  • Sellfy – https://sellfy.com/security/
  • Spotify – https://www.spotify.com/us/about-us/contact/report-security-issues/
  • Sprout Social – http://sproutsocial.com/responsible-disclosure-policy
  • Telekom – http://www.telekom.com/corporate-responsibility/security/186450
  • Thingomatic – http://thingomatic.org/security.html
  • 37signals – https://37signals.com/security-response
  • Tuenti – http://corporate.tuenti.com/en/dev/hall-of-fame
  • Twilio – https://www.twilio.com/docs/security/disclosure
  • Twitter – https://twitter.com/about/security
  • WizeHive – http://www.wizehive.com/special_thanks.html
  • Xmarks – https://buy.xmarks.com/security.php
  • Zendesk – http://www.zendesk.com/company/responsible-disclosure-policy
  • Zynga – http://company.zynga.com/security/whitehats

Product & Services (No Reward)

  • Amazon Web Services (AWS) – http://aws.amazon.com/security/vulnerability-reporting
  • Apriva – http://www.apriva.com/security
  • Authy – https://www.authy.com/security-issue
  • Blackboard – http://www.blackboard.com/footer/security-policy.aspx
  • Box – https://www.box.com/about-us/security/
  • Cisco – http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
  • Cloudnetz – http://cloudnetz.com/Legal/vulnerability-testing-policy.html
  • Contant Contact – http://www.constantcontact.com/about-constant-contact/security/report-vulnerability.jsp
  • Coupa – http://trust.coupa.com/home/security/coupa-vulnerability-reporting-policy
  • Drupal – https://drupal.org/security-team
  • EMC2 – http://www.emc.com/contact-us/contact/product-security-response-center.htm
  • Emptrust – http://www.emptrust.com/Security.aspx
  • Heroku – https://www.heroku.com/policy/security-hall-of-fame
  • HTC – http://www.htc.com/us/terms/product-security/
  • Huawei – http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm
  • IBM – http://www-03.ibm.com/security/secure-engineering/report.html
  • KPN – http://www.kpn.com/Privacy.htm#tabcontent3
  • Lievensberg Hospital – http://www.lievensbergziekenhuis.nl/paginas/141-disclaimer.html
  • LinkedIn – http://help.linkedin.com/app/answers/detail/a_id/37022
  • Lookout – https://www.lookout.com/responsible-disclosure
  • Millsap Independent School District – http://www.millsapisd.net/BugReport.cfm
  • Modus CSR – http://www.moduscsr.com/security_statement.php
  • PagerDuty – http://www.pagerduty.com/security/disclosure/
  • Panzura – http://panzura.com/support/panzura-security-policy/
  • Pidgin – http://pidgin.im/security/
  • Plone – http://plone.org/products/plone/security/advisories
  • Pop Group – http://www.popgroupglobal.com/security.php
  • Reddit – http://code.reddit.com/wiki/help/whitehat
  • Relaso – http://relaso.com/disclosure
  • Salesforce – http://www.salesforce.com/company/privacy/security.jsp#vulnerability
  • Simplify – http://simplify-llc.com/simplify-security.html
  • Skoodat – http://www.skoodat.com/security
  • Scorpion Software – http://www.scorpionsoft.com/company/disclosurepolicy/
  • Square – https://squareup.com/security/levels
  • Symantec – http://www.symantec.com/security/
  • Team Unify – http://www.teamunify.com/__corp__/security.php
  • Tele2 – http://www.tele2.nl/klantenservice/veiligheid/tele2-en-veiligheid.html
  • T-Mobile (Netherlands) – http://www.t-mobile.nl/Global/media/pdf/privacy_statement_juni_2012.pdf
  • UPC – http://www.upc.nl/internet/veilig_internet/beveiligingsproblemen/
  • Viadeo – http://www.viadeo.com/aide/security/
  • Vodafone (Netherlands) – http://over.vodafone.nl/vodafone-nederland/privacy-veiligheid/beveiliging-en-bescherming/wat-doet-vodafone/meld-een-beveilig
  • VSR – http://www.vsecurity.com/company/disclosure
  • X.commerce – http://www.x.com/security
  • Xen – http://www.xen.org/projects/security_vulnerability_process.html
  • Ziggo – https://www.ziggo.nl/#klantenservice/internet/risicos-op-internet/meldpunt-beveiligingslekken