Bug bounty programs are usually organized by software companies or websites, where developers get rewarded for finding bugs; in the form of vulnerabilities and probable exploits. If you’re part of the ethical hacking community, bug hunting is where you could shine. Hack, report and get paid. Here are some lucrative bug bounty programs to keep track of:
Microsoft Bounty Program for Finding Bugs in Its Identity Services: You can make up to $100,000 in this program offered by the technology giant, Microsoft. Find a flaw in its “Identity services”, report and get a grand reward. This includes undisclosed vulnerabilities in Microsoft Account or Azure Active Directory Account, listed OpenID standards or with the protocol implemented in Microsoft’s certified products, services, or libraries, any version of Microsoft Authenticator application. Rewards vary according to the nature of the vulnerability.
|High Quality Submissions||Baseline Quality Submissions||Incomplete Submissions|
|Significant Authentication Bypass||Up to $40,000||Up to $10,000||From $1,000|
|Multi-factor Authentication Bypass||Up to $100,000||Up to $50,000||From $1,000|
|Standards design vulnerabilities||Up to $100,000||Up to $30,000||From $2,500|
|Standards-based implementation vulnerabilities||Up to $75,000||Up to $25,000||From $2,500|
|Cross-Site Scripting (XSS)||Up to $10,000||Up to $4,000||From $1,000|
|Cross-Site Request Forgery (CSRF)||Up to $20,000||Up to $5,000||From $500|
|Authorization Flaw||Up to $8,000||Up to $4,000||From $500|
|Sensitive Data Exposure||Up to $5,000||Up to $2,500||From $500|
Facebook bug bounty program: Security researchers or anyone who has found a flaw in Facebook or a Facebook product can report and get rewarded $500 minimum. Qualify for a bounty by reporting a security bug in Facebook or one of the following qualifying products or acquisitions:
- Internet.org / Free Basics
- Open source projects by Facebook (e.g. osquery)
Intel vulnerability program: The Intel Bug Bounty program is open to the public. Any security researcher can take part and report security vulnerabilities in Intel branded products & technologies. Intel will award a Bounty from $500 to $250,000 USD depending on the nature of the vulnerability and quality & content of the report. The first external report received on an internally known vulnerability will receive a maximum of $1,500 USD Award
Eligible Intel products and technologies:
- Processor (inclusive of micro-code ROM + updates)
- Networking / Communication
- Motherboard / System (e.g., Intel Compute Stick, NUC)
- Solid State Drives
- UEFI BIOS (Tiano core components for which Intel is the only named maintainer)
- Intel® Management Engine
- Baseboard Management Controller (BMC)
- Motherboard / System (e.g., Intel Compute Stick)
- Solid State Drives
- Device driver
Chrome Reward Program: This program provides monetary awards and public recognition for vulnerabilities responsibly disclosed to the Chrome project. Any security bug in Chrome or Chrome OS stands a chance.
There is a focus on critical, high and medium impact bugs, but any clever vulnerability at any severity might get a reward. Rewards for qualifying bugs typically range from $500 to $100,000.
The following table outlines the usual rewards chosen for the most common classes of bugs:
|High-quality report with |
functional exploit 
|High-quality report ||Baseline ||Low-quality report |
|Sandbox Escape ||$15,000||$10,000||$2,000 – $5,000||$500|
|Renderer Remote Code Execution||$7,500||$5,000||$1,000 – $3,000||$500|
|Universal XSS (local bypass or equivalent)||$7,500||$5,000||N/A||N/A|
|Information Leak||$4,000||$2,000||$0 – $1000||$0|
|Download Protection bypass ||N/A||$1,000||$0 – $500||$0|
On top of these rewards, Chrome offers either $500 or $1,337 if a well-written patch is provided with the report. Significant patches can also be submitted under the Patch Reward Program.
It is necessary to check out the official websites of each site for eligibility information and to confirm what they reward for and what they don’t. In addition, most organizations obviously require you don’t share any found bug publicly until it’s confirmed and resolved.