Thursday, 20 September 2012

List of Bug Bounty Programs


Bug Bounty Program a well known topic is on the heat these days, known companies like: Google, Facebook, Mozilla are paying for finding a vulnerabilities on their web servers, products, services or some associated applications. Here is a list for all the Security Researchers and Bug Hunters to target all the best :)



Bug Bounty Websites for Web Application Vulnerability



Mozilla

security@mozilla.org

http://www.mozilla.org/security

http://www.mozilla.org/projects/security/security-bugs-policy.html

http://www.mozilla.org/security/announce



Google

security@google.com

https://www.google.com/appserve/security-bugs/new?rl=xkp7zert49a5q6owod28bhr2



Facebook

http://www.facebook.com/whitehat/bounty



Paypal

sitesecurity@paypal.com

https://cms.paypal.com/cgi-bin/marketingweb?cmd=_render-content&content_ID=security/reporting_security_issues



Etsy

security-reports@etsy.com

http://www.etsy.com/help/article/2463



Wordpress

http://www.whitefirdesign.com/about/wordpress-security-bug-bounty-program.html



Commonsware

http://commonsware.com/bounty.html



CCBill

http://www.ccbill.com/developers/security/vulnerability-reward-program.php

http://www.ccbill.com/developers/security/rewards.php



Vark

http://www.vark.com



Windthorstisd

http://www.windthorstisd.net/BugReport.cfm





Bug Bounty Websites for Products Vulnerability



Mozilla

http://www.mozilla.org/security

http://www.mozilla.org/security/known-vulnerabilities/firefox.html



Google Chrome

http://www.chromium.org/Home/chromium-security/vulnerability-rewards-program



Zero Day Initiative

http://www.zerodayinitiative.com



Barracuda

bugbounty@barracuda.com

http://www.barracudalabs.com/bugbounty

http://www.barracudalabs.com/bugbounty/halloffame.html



Artifex Software

http://www.ghostscript.com/Bug_bounty_program.html



Hex Rays

http://www.hex-rays.com/bugbounty.shtml



Ardour

http://ardour.org/bugbounty



Piwik

http://piwik.org/security





Hall of Fame & Responsible Disclosure Websites(No Bounties)



Microsoft



http://technet.microsoft.com/en-us/security/cc308589

http://technet.microsoft.com/en-us/security/cc308575

http://technet.microsoft.com/en-us/security/cc261624

http://www.microsoft.com/security/msrc/default.aspx

http://technet.microsoft.com/en-us/security/ff852094.aspx



Apple

product-security@apple.com

http://support.apple.com/kb/HT1318

https://ssl.apple.com/support/security/



Adobe

http://www.adobe.com/support/security/bulletins/securityacknowledgments.html

http://www.adobe.com/support/security/alertus.html



IBM

http://www-03.ibm.com/security/secure-engineering/report.html



Twitter

https://twitter.com/about/security

http://support.twitter.com/groups/33-report-abuse-or-policy-violations/topics/122-reporting-violations/articles/477159-how-to-report-xss-api-and-other-security-vulnerabilities#

https://support.twitter.com/forms



Dropbox

security@dropbox.com

https://www.dropbox.com/security

https://www.dropbox.com/special_thanks



Yahoo

security@yahoo-inc.com


http://security.yahoo.com/article.html;_ylc=X3oDMTFwMGI4cDJnBF9TAzU2NTAwMDAwMgRhaWQDMjAwNjEyMDUwMQRjbmFtZQNZb3VyIFNlY3VyaXR5IG9uIFlhaG9vIQ--?aid=2006120501



Cisco

http://tools.cisco.com/security/center/home.x#~alerts



Moodle

http://moodle.org/security



Drupal

http://drupal.org/security-team



Oracle

http://www.oracle.com/us/support/assurance/reporting/index.html



Symantec

http://www.symantec.com/security



Ebay

http://pages.ebay.com/securitycenter/Researchers.html



Twilio

http://www.twilio.com/blog/2012/03/reporting-security-vulnerabilities.html



37 Signals

http://37signals.com/security-response



Salesforce

http://www.salesforce.com/company/privacy/disclosure.jsp



Reddit

http://code.reddit.com/wiki/help/whitehat



Github

http://help.github.com/responsible-disclosure/



Ifixit

http://www.ifixit.com/Info/responsible_disclosure



Constant Contact

http://www.constantcontact.com/about-constant-contact/security/report-vulnerability.jsp



Zeggio

http://www.zeggio.com



Simplify

http://simplify-llc.com/simplify-security.html



Team Unify

http://www.teamunify.com/__corp__/security.php



Skoodat

http://www.skoodat.com/Security



Relaso

http://relaso.com/disclosure



Moduscsr

http://www.moduscsr.com/security_statement.php



Cloudnetz

http://cloudnetz.com/Legal/vulnerability-testing-policy.html



Emptrust

http://www.emptrust.com/Security.aspx



Apriva

http://www.apriva.com/security



Amazon

http://aws.amazon.com/security/vulnerability-reporting



SqaureUp

https://squareup.com/security/levels



G-Sec

http://www.g-sec.lu/responsible.disclosure.policy.html



Xen

security@xen.org

http://wiki.xen.org/wiki/Security_Announcements

http://www.xen.org/projects/security_vulnerability_process.html



Engine Yard

http://www.engineyard.com/legal/responsible-disclosure-policy



Lastpass

https://lastpass.com/support_security.php



RedHat

https://access.redhat.com/knowledge/articles/66234



Acquia

https://www.acquia.com/how-report-security-issue



Mahara

security@mahara.org

https://wiki.mahara.org/index.php/Security




Zynga

security@zynga.com

http://company.zynga.com/security/whitehats



Risk.io

https://www.risk.io/security



Opera

http://www.opera.com/security/policy

https://bugs.opera.com/wizarddesktop

http://my.opera.com/securitygroup/blog/2013/04/05/thanks-to-the-researchers



Owncloud

http://owncloud.org/security/policy

http://owncloud.org/security/hall-of-fame



Scorpion Soft

security@scorpionsoft.com

http://www.scorpionsoft.com/company/disclosurepolicy




Norada

http://norada.com/norada/crm/security_response



Cpaperless

http://www.cpaperless.com/securitystatement.aspx



Wizehive

http://www.wizehive.com/security

http://www.wizehive.com/special_thanks.html



Tuenti

http://corporate.tuenti.com/en/dev/hall-of-fame



Nokia Siemens

http://www.nokiasiemensnetworks.com/about-us/responsible-disclosure



Sound Cloud

http://help.soundcloud.com/customer/portal/articles/439715-responsible-disclosure



HTC

security@htc.com


http://www.htc.com/www/terms/product-security



Neohapsis

http://www.neohapsis.com/disclosure.php



Nokia

security-alert@nokia.com

http://www.nokia.com/global/security/security

http://www.nokia.com/global/security/acknowledgements





BlackBerry

secure@blackberry.com

https://www.blackberry.com/profile/?eventId=8322

http://us.blackberry.com/business/topics/security/incident-response-team/collaborations.html



Heroku

security@heroku.com

https://policy.heroku.com/security



Chargify

security@chargify.com

https://chargify.com/security



Zendesk

security@zendesk.com

http://www.zendesk.com/company/responsible-disclosure-policy



Lookout

security@lookout.com

https://www.lookout.com/responsible-disclosure



Puppetlabs

security@puppetlabs.com

http://puppetlabs.com/security

https://puppetlabs.com/security/acknowledgments

https://puppetlabs.com/blog/responsible-disclosure-of-security-vulnerabilities



Gliph

https://gli.ph/s/security.html

5 comments:

  1. Hello Ajay. Thanks for this list. I've been following your work across the bug bounty programs. Can I send you an email about a new startup in the bug bounty space and get your feedback? Cheers, Ash

    ReplyDelete
    Replies
    1. Hello Ash, you are welcome, am glad to know that :). Yes sure you can email me about the new startup in the bug bounty space I will give you my feedback. Thanks, Ajay.

      Delete
  2. Hi Andrea, my pleasure. I didn't understand why the Bug Bounty is an scary word for you :). Andrea I don't think Bug Bounty can be a reason for any fake virus attack like you have mentioned, but as many times people use many software which are not genuine or not been downloaded from a reliable source or many times people visit malware infected website so these can be the reason for Win32:Sirefef virus attacks, if you have faced this problem then you can resolve it also using any gud security suite etc, let me know if you are still facing that problem. Actually there could be lot more possibilities for these kinda virus attacks. And there is no relation of bug bounties for it.

    ReplyDelete
  3. hi ajay,
    Can you please tell me some sector/company so far not interested in bug bounty?
    Any reasons for doing so?
    Thanks

    ReplyDelete
  4. Hey Ajay

    Actually I wanted to know if you have any idea as to which company/companies are not into bug bounty programs and if so what can be the reason behind it.

    Thanks.

    ReplyDelete