Make Money as a Hacker – Highest Paying Bug Bounty Programs

Bug bounty programs are usually organized by software companies or websites, where developers get rewarded for finding bugs; in the form of vulnerabilities and probable exploits. If you’re part of the ethical hacking community, bug hunting is where you could shine. Hack, report and get paid. Here are some lucrative bug bounty programs to keep track of:

Microsoft Bounty Program for Finding Bugs in Its Identity Services: You can make up to $100,000 in this program offered by the technology giant, Microsoft. Find a flaw in its “Identity services”, report  and get a grand reward. This includes undisclosed vulnerabilities in Microsoft Account or Azure Active Directory Account, listed OpenID standards or with the protocol implemented in Microsoft’s certified products, services, or libraries, any version of Microsoft Authenticator application. Rewards vary according to the nature of the vulnerability.

High Quality Submissions Baseline Quality Submissions Incomplete Submissions
Significant Authentication Bypass Up to $40,000 Up to $10,000 From $1,000
Multi-factor Authentication Bypass Up to $100,000 Up to $50,000 From $1,000
Standards design vulnerabilities Up to $100,000 Up to $30,000 From $2,500
Standards-based implementation vulnerabilities Up to $75,000 Up to $25,000 From $2,500
Cross-Site Scripting (XSS) Up to $10,000 Up to $4,000 From $1,000
Cross-Site Request Forgery (CSRF) Up to $20,000 Up to $5,000 From $500
Authorization Flaw Up to $8,000 Up to $4,000 From $500
Sensitive Data Exposure Up to $5,000 Up to $2,500 From $500

 

Facebook bug bounty program:  Security researchers or anyone who has found a flaw in Facebook or a Facebook product can report and get rewarded $500 minimum. Qualify for a bounty by reporting a security bug in Facebook or one of the following qualifying products or acquisitions:

  • Instagram
  • Internet.org / Free Basics
  • Moves
  • Oculus
  • Onavo
  • Open source projects by Facebook (e.g. osquery)
  • WhatsApp

Intel vulnerability program: The Intel Bug Bounty program is open to the public. Any security researcher can take part and report security vulnerabilities in Intel branded products & technologies. Intel will award a Bounty from $500 to $250,000 USD depending on the nature of the vulnerability and quality & content of the report. The first external report received on an internally known vulnerability will receive a maximum of $1,500 USD Award

Eligible Intel products and technologies:

Intel Hardware

  • Processor (inclusive of micro-code ROM + updates)
  • Chipset
  • FPGA
  • Networking / Communication
  • Motherboard / System (e.g., Intel Compute Stick, NUC)
  • Solid State Drives

Intel Firmware

  • UEFI BIOS (Tiano core components for which Intel is the only named maintainer)
  • Intel® Management Engine
  • Baseboard Management Controller (BMC)
  • Motherboard / System (e.g., Intel Compute Stick)
  • Solid State Drives

Intel Software

  • Device driver
  • Application
  • Tool

Chrome Reward Program: This program provides monetary awards and public recognition for vulnerabilities responsibly disclosed to the Chrome project. Any security bug in Chrome or Chrome OS stands a chance.

Qualifying vulnerabilities:

There is a focus on critical, high and medium impact bugs, but any clever vulnerability at any severity might get a reward. Rewards for qualifying bugs typically range from $500 to $100,000.

The following table outlines the usual rewards chosen for the most common classes of bugs:

 

High-quality report with
functional exploit [1]
High-quality report [2] Baseline [3] Low-quality report [4]
Sandbox Escape [5] $15,000 $10,000 $2,000 – $5,000 $500
Renderer Remote Code Execution $7,500 $5,000 $1,000 – $3,000 $500
Universal XSS (local bypass or equivalent) $7,500 $5,000 N/A N/A
Information Leak $4,000 $2,000 $0 – $1000 $0
Download Protection bypass [6] N/A $1,000 $0 – $500 $0

On top of these rewards, Chrome offers either $500 or $1,337 if a well-written patch is provided with the report. Significant patches can also be submitted under the Patch Reward Program.

It is necessary to check out the official websites of each site for eligibility information and to confirm what they reward for and what they don’t. In addition, most organizations obviously require you don’t share any found bug publicly until it’s confirmed and resolved.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Microsoft Fixed 100+ Vulnerabilities With October Patch Tuesday