10 Essential Bug Bounty Programs of 2017 (2 & 3)

1. Facebook
   Website: https://www.facebook.com/whitehat

Minimum Payout: $500

Maximum Payout: No predetermined amount

Those wishing to qualify for a reward in Facebook’s bug bounty program can report a security issue in Facebook, Atlas, Instagram, WhatsApp, and a few other qualifying products and acquisitions. There are a few security issues that the social networking platform considers out-of-bounds, however. For instance, researchers who report on social engineering techniques, content injection, or denial-of-service (DoS) attacks won’t be eligible for a bounty.

Under its VRP, Facebook has agreed to pay a minimum of $500 for a responsibly disclosed vulnerability, though some low-severity flaws won’t qualify a researcher for a bounty. Participating bounty hunters may decide to donate their bounties to a charity of a choice. If they elect to do so, Facebook will double the award.

1. GitHub
   Website: https://bounty.github.com/

Minimum Payout: $200

Maximum Payout: $10,000

More than 100 security researchers have participated in GitHub’s bug bounty program since its launch in June 2013. Each of them has earned points for their vulnerability submissions depending on a flaw’s severity. Based on their work across all targets, those who’ve amassed the most total points have secured a position on the VRP’s Leaderboard.

Individuals looking to participate in GitHub’s bug bounty framework should turn their attention to the developer platform’s API, CSP, Enterprise, Gist and the main website. Upon sending over a bug report, researchers can expect to receive between $200 and $10,000 as a reward. But they’ll receive that bounty only if they respect users’ data and don’t exploit any issue to produce an attack that could harm the integrity of GitHub’s services or information.