Bug Bounty programs are more popular than ever these days. Leading companies such as Google, Mozilla, Facebook, and many others are offering bounties as high as $60,000 for hackers that can find critical vulnerabilities in their programs. Just yesterday Google increased the total reward pot to $3.14159 million for “Pwnium,” its Chrome hacking contest. It’s great to see so many organizations taking security seriously, but the question remains…. Building Secure Web Applications In June of 2013 this graphic was updated to include Microsoft's new bug bounty program, a mage avatar from Gaia Online was used to represent them. We take no credit for the design, refer to their website for other wicked awesome looking avatars.  

Add this Infographic to Your Website for FREE!


Small Version

Large Version

Infographic by Veracode Application Security

Veracode Security Solutions

Companies ranging from Google to Etsy are rushing to pay hackers to disrupt their security systems. Why? As the thinking goes, who better than a hacker to beat a hacker.  

Companies with Bug Bounty Programs

  • Google
  • Mozilla (Firefox)
  • Facebook
  • Paypal
  • Etsy

Mozilla launched one of the first such bounty programs in 2004 for successful attacks against its then-fledging Firefox browser. To date, the company has paid more than $750,000 in bug bounties. Google has paid out more than $1.2 million

Not all threats created equal

  • Facebook usually pays $500 per bug but has paid upwards of $10,000 for a few major bugs
  • Google operates several bounty programs, including "Chromiun" and "Pwnium"
  • Chromium pays between $500 and about $1,300 for attacks against Chrome and Chrome plug-ins
  • For vulnerabilities in some of its brands, such as Gmail, YouTube, and Blogger.com, it pays as much as $20,000 for an advanced bug
  • But Google's Pwnium contest is truly the mother lode. The program requires researchers not only to find vulnerabilities in Google programs but to submit working attacks to exploit them. The total purse was recently increased to 2 million and individual awards go for $20,000, $40,000 and $60,000 for major bugs

Non-bounty programs

  • Some of the Internet's giants don't offer bounty programs -but that doesn't mean they don't benefit from the work of researchers who expose vulnerabilities
  • Adobe and Apple are three of the biggest companies that don't offer bounties
  • Microsoft's new BlueHat security program does pay up to $250,000 to security professionals who can develop the best counter-attacks; the company says that's better than a bounty program
  • Others with "Hall of Fame" or responsible disclosure websites but no bounties:
    • IBM
    • Dropbox
    • Cisco
    • Oracle
    • Symantec
    • eBay
    • 37signals
    • Salesforce
    • amazon.com
    • HTC
    • twitter

Do bounty programs help?

The companies that operate bug bounty programs certainly would argue that these programs have made their products safer and kept users' information protected "It's a hard measurement to take, but we're seeing a fairly sustained drop-off in the number of incoming reports we're receiving from the Chromium program." - Chris Evans, Information Security Officer at Google A majority of app vendors fail to achieve compliance/security on their first review:

  • 62% - Enterpris Policy
  • 70% - CWE/SANS top 25
  • 90% - OWASP top 10

Top Flaws found in Vendor web apps

  1. 79% - Information Leakage
  2. 71% - Cross-site Scripting (XSS)
  3. 67% - Cryptographic Issues
  4. 67% - Directory Traversal
  5. 63% - CRLF Injection
  6. 51% - Time and State
  7. 48% - Insufficient Input Validation
  8. 40% - SQL Injection

Creating an effective vendor application security program

  • Rather than relying on bug hunters and vendors to retroactively fix their software vulnerabilities, enterprises are establishing programs to test the security of vendor supplied applications
  • There are a few steps enterprises should follow to create effective vendor application security programs:
    1. Policy Definition: Create policies that outlines the goals, methodology, and timeline for testing and remediation
    2. Communicate Requirements to Vendors: Provide vendors with a security analysis mandate that outlines the analysis options and timeline for remediation
    3. Vendor Education: Provide written guidance and address questions from vendors. Educate vendors on entire analysis and remediation process
    4. Communication and Execution: Use project management to minimize delays and drive vendor participation
    5. Results Communication: Review test results and work with vendors to remediate vulnerabilities


wired.com Microsoft Google Facebook

Nate joined Veracode as a marketing specialist in early 2012. He is one of Veracode’s first co-ops from Northeastern University, where he is majoring in entrepreneurship and new venture management while minoring in music. He has various responsibilities at Veracode, including blogging, SEO, and infographic design.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu