What are bug bounty programs


bug bounty program

Bug bounty programs allow independent security researchers to report bugs to an organization and receive rewards or compensation. These bugs are usually security exploits and vulnerabilities, though they can also include process issues, hardware flaws, and so on.
The reports are typically made through a program run by an independent third party. The organization will set up (and run) a program curated to the organization’s needs. Programs may be private where reports are kept confidential to the organization or public . They can take place over a set time frame or with no end date.
Many software vendors and websites run bug bounty programs, paying out cash rewards to software security researchers and white hat hackers who report software vulnerabilities that have the potential to be exploited. Bug reports must document enough information for for the organization offering the bounty to be able to reproduce the vulnerability. Typically, payment amounts are commensurate with the size of the organization, the difficulty in hacking the system and how much impact on users a bug might have.
 Programs – Many major organizations use bug bounties as a part of their security program, including AOL, Android, Apple, Digital Ocean, and Goldman Sachs.

companies use bug bounty programs

Bug bounty programs give companies the ability to harness a large group of hackers in order to find bugs in their code. This gives them access to a larger number of hackers or testers than they would be able to access on a one-on-one basis. It can also increase the chances that bugs are found and reported to them before malicious hackers can exploit them.

It can also be a good public relations choice for a firm. As bug bounties have become more common, having a bug bounty program can signal to the public and even regulators that an organization has a mature security program. This trend is likely to continue, as some have started to see bug bounty programs as an industry standard which all organizations should invest in.

Why do researchers and hackers participate in bug bounty programs?

Finding and reporting bugs via a bug bounty program can result in both cash bonuses and recognition. In some cases, it can be a great way to show real-world experience when you’re looking for a job, or can even help introduce you to folks on the security team inside an organization.

This can be full time income for some folks, income to supplement a job, or a way to show off your skills and get a full time job.

It can be fun. It’s a great  chance to test out your skills against massive corporations and government agencies.

cyber security and ethical hacking 3

disadvantages of bug bounty programs for organizations

These programs are only beneficial if the program results in the organization finding problems that they weren’t able to find themselves. If the organization isn’t mature enough to be able to quickly remediate identified issues, a bug bounty program isn’t the right choice for their organization.

Also, any bug bounty program is likely to attract a large number of submissions, many of which may not be high-quality submissions. An organization needs to be prepared to deal with the increased volume of alerts, and the possibility of a low signal to noise ratio.

Additionally, if the program doesn’t attract enough participants (or participants with the wrong skill set, and thus participants aren’t able to identify any bugs), the program isn’t helpful for the organization. The vast majority of bug bounty participants concentrate on website vulnerabilities, while only a few  opt to look for operating system vulnerabilities.

This is likely due to the fact that hacking operating systems (like network hardware and memory) requires a significant amount of highly specialized expertise. This means that companies may see significant return on investment for bug bounties on websites, and not for other applications, particularly those which require specialized expertise.

This also means that organizations which need to examine an application or website within a specific time frame might not want to rely upon a bug bounty as there’s no guarantee of when or if they receive reports.

alternatives to bug bounty programs

First, organizations should have a vulnerability disclosure program. Essentially, this provides a secure channel for researchers to contact the organization about identified security vulnerabilities, even if they do not pay the researcher. Having an identified point of contact can be helpful as it can immediately filter requests to the security team, rather than a communications team which may not know how seriously to treat the report. It can also encourage researchers to report vulnerabilities when found. Typically this also includes a framework for how to handle intake, mitigation, and any remediation measures.

Additionally, organizations may opt to hire a penetration testing firm to perform a time-limited test of specific systems or applications. The pen testers will have a curated, directed target and will produce a report at the end of the test.

This will ensure that the company gets a team of highly skilled, trusted hackers at a known price. They can also request any specialized expertise which they need, as well as ensuring the test is private, rather than publicly accessible.

Bug Bounty Awards

Eligibility for any bug bounty award and award amount determinations are made at Intel’s sole discretion. These are some general guidelines that may vary from published documentation:
  • Awards may be greater:
  1. based on the potential impact of the security vulnerability
  2. for well-written reports with complete reproduction instructions / proof-of-concept (PoC) material. See the eligible report requirements above.
  3. if a functional mitigation or fix is proposed along with the reported vulnerability.
  4. Intel will award a bounty award for the first eligible report of a security vulnerability.
  • Awards are limited to one (1) bounty award per eligible root-cause vulnerability.
  • Intel will award a bounty from $500 to $100,000 USD depending on the vulnerability type and originality, quality, and content of the report.
  • Intel will publicly recognize awarded security researchers via Intel Security Advisories at or after the time of public disclosure of the vulnerability, in coordination with the security researcher who reported the vulnerability.
  • Award amounts may change with time. Past rewards do not necessarily guarantee the same reward in the future.


While the use of ethical hackers to find bugs can be very effective, such programs can also be controversial. To limit potential risk, some organizations are offering closed bug bounty programs that require an invitation. Apple, for example, has limited bug bounty participation to few dozen researchers.

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.