Alex Miller, a 12-year-old tech wiz from San Jose received a check in the post for $3,000 from Mozilla. It was a reward for tracking down a critical security flaw in the Firefox web browser. 25-year-old Aaron Portnoy has been tracking down bugs since he was barely into his teens. He first realised it could be a potentially lucrative career when tax collectors from the American Internal Revenue Service came calling, wondering how he had made $60,000. Aaron was not even 20 at the time. Sergey Glazunov was paid $60,000 for finding a security flaw in Chrome Browser on a fully patched Windows 7 system.
These are just some high profile examples of individuals who got the limelight from the press. But, i think you get the point. Finding security holes in widely used software is financially rewarding these days. If you want to participate in some of these programs, here are the details.
Google
Rewards for qualifying bugs range from $100 to $20,000. The following table outlines the usual rewards for the anticipated classes of bugs:
| accounts.google.com | Other highly sensitive services [1] | Normal Google applications | Non-integrated acquisitions and other lower priority sites [2] |
|---|
| Remote code execution | $20,000 | $20,000 | $20,000 | $5,000 |
| SQL injection or equivalent | $10,000 | $10,000 | $10,000 | $5,000 |
| Significant authentication bypass or information leak | $10,000 | $5,000 | $1,337 | $500 |
| Typical XSS | $3,133.7 | $1,337 | $500 | $100 |
| XSRF, XSSI, and other common web flaws |
$500 - $3,133.7
(depending on impact)
|
$500 - $1,337
(depending on impact) | $500 | $100 |
[1] This category includes products such as Google Search (https://www.google.com) Google Wallet (https://wallet.google.com), Google Mail (https://mail.google.com), Google Code Hosting (code.google.com), and Google Play (https://play.google.com).
[2] Note that acquisitions qualify for a reward only after the initial 6 month blackout period has elapsed.
Mozilla
The bounty for valid critical client security bugs will be $3000 (US) cash reward and a Mozilla T-shirt. The bounty will be awarded for critical and high severity security bugs that meet the following criteria:
Security bug is present in the most recent supported, beta or release candidate version of Firefox, Thunderbird, Firefox Mobile, or in Mozilla services which could compromise users of those products, as released by Mozilla Corporation or Mozilla Messaging.
PayPal
Paypal is a new entrant to this field. They have not disclosed any details about the extent of reward. But, the obvious mode of payment is through PayPal.
Facebook
Facebook has fixed a typical bounty to be $500 which maybe increased for specific bugs. Any exploit that could compromise the integrity of Facebook user data, or circumvent the privacy protections of Facebook user data.
ZDI
This is the Zero Day Initiative from TippingPoint software which was acquired by Hewlett-Packard. This is unique in that bugs for third-party software are accepted. As a member of the ZDI program, you earn points each time a vulnerability submission is purchased. Points are treated in a manner similar to airline frequent flyer miles - points accrue each year on a dollar-for-dollar basis based on the total amount paid for vulnerability submissions by the researcher during that calendar year. For instance, if the Zero Day Initiative buys your vulnerability for $5,000, then you receive 5,000 points for that submission. For all of calendar year 2008, if you received 37,000 points, then for calendar year 2009 you will be considered to have ZDI Gold status. The following are the various levels of ZDI Reward membership:
Some lesser known ones:
Barracuda
The bounty starts at $500 for qualifying bugs. The following security products by Barracuda Networks:
- Barracuda Spam & Virus Firewall
- Barracuda Web Filter
- Barracuda Web Application Firewall
- Barracuda NG Firewall
The panel may reward up to $3,133.7 for particularly severe bugs. You may opt to donate your bounty to a charity. Additionally, we will credit your work as a bug/vulnerability reporter if you desire. Only the first report of a bug qualifies. (Why $3,133.7? The number pays homage to “eleet”. This is used by some in the security community as slang for elite and is sometimes referred to as 31337.)
Piwik
The bounty for valid critical security bugs is a $500 (US) cash reward. The bounty for non-critical bugs is $200 (US), paid via Paypal. The bounty will be awarded for security bugs that meet the following criteria:
- Security bug must be original and previously unreported
- Security bug is present in the most recent supported or release candidate version of Piwik
- If two or more people report the bug together the reward will be divided among them
Ghostscript
Artifex software rewards folks who find bugs in their proprietary interpreter for postscript language and for PDF. Accepted fixes for bugs at P1 and P2 pay a bounty of US$1000 each. Bugs at lower priority pay US$500 per bug.
Hex-Rays
Hex-Rays will pay a 3000 USD bounty for certain security bugs in their proprietary IDA or Decompiler applications. What security bugs will be considered:
- Security bugs must be original and previously unreported and not fixed yet.
- Security bugs with high or critical impact are eligible (remote code execution, privilege escalation, etc).
- Security bugs must be in the Hex-Rays code (not in third party/contributed code). In some cases we may take responsibility for third-party code as well.
- Security bugs must be present in the latest public release of IDA/Decompiler.
