Nytro Posted March 1, 2013 Report Share Posted March 1, 2013 [h=3]"No More Free Bugs" Initiatives[/h]Two years after the launch of the "No More Free Bugs" philosophy, several companies and Open Source projects are now offering programs designed to encourage security research in their products. In addition, many private firms are publicly offering vulnerability acquisition programs.This post is an attempt to catalog all public and active incentives. This includes traditional "Bug Bounty Programs" as well as "Vulnerability/Exploit Acquisition Programs".Bug Bounty Programs[TABLE=width: 100%] [TR] [TD=bgcolor: #cccccc, align: center]Sponsor [/TD] [TD=bgcolor: #cccccc, align: center]Target [/TD] [TD=bgcolor: #cccccc, align: center]Reward [/TD] [/TR] [TR] [TD=align: center]Access[/TD] [TD=align: center]Undisclosed vulnerability in a software used by human rights defenders and activists.[/TD] [TD=align: center]$20,000 (winner award)[/TD] [/TR] [TR] [TD=align: center]AT&T[/TD] [TD=align: center]Security vulnerabilities found within the AT&T API Platform[/TD] [TD=align: center]$100-$5,000, plus merchandize (e.g. LTE data cards, phones with free service)[/TD] [/TR] [TR] [TD=align: center]Avast[/TD] [TD=align: center]Security vulnerabilities in the latest consumer Windows versions of Avast[/TD] [TD=align: center]$200-$5,000[/TD] [/TR] [TR] [TD=align: center]Barracuda[/TD] [TD=align: center]Vulnerabilities in Barracuda appliances, including Spam/Virus Firewall, Web Filter, WAF, NG Firewall[/TD] [TD=align: center]$500-$3,133.7[/TD] [/TR] [TR] [TD=align: center]BugCrowd[/TD] [TD=align: center]Crowdsourced security testing. BugCrowd manages bug bounty programs for third-party companies[/TD] [TD=align: center]Starting from $250[/TD] [/TR] [TR] [TD=align: center]BugWolf[/TD] [TD=align: center]Marketplace for bug bounty hunters. BugWolf manages bug bounty programs for third-party companies[/TD] [TD=align: center]Starting from $500[/TD] [/TR] [TR] [TD=align: center]Djbdns[/TD] [TD=align: center]Verifiable security holes in the latest version of Djbdns[/TD] [TD=align: center]$1000[/TD] [/TR] [TR] [TD=align: center]Etsy[/TD] [TD=align: center]Web application vulnerabilities affecting the main Etsy - Your place to buy and sell all things handmade, vintage, and supplies site, the etsy.com API, or the official Etsy mobile application[/TD] [TD=align: center]Starting from $500[/TD] [/TR] [TR] [TD=align: center]Facebook[/TD] [TD=align: center]Facebook web platform security bugs. No third-party applications[/TD] [TD=align: center]Starting from $500[/TD] [/TR] [TR] [TD=align: center]Gallery[/TD] [TD=align: center]Security issues in the latest stable release of the popular web based photo album organizer[/TD] [TD=align: center]$100-$1000[/TD] [/TR] [TR] [TD=align: center]Google[/TD] [TD=align: center]Chromium browser project, Chrome OS and selected Google web properties bugs[/TD] [TD=align: center]$500-$20,000[/TD] [/TR] [TR] [TD=align: center]Hex-Rays[/TD] [TD=align: center]Security bugs in the latest public release of Hex-Rays IDA[/TD] [TD=align: center]Up to $3000[/TD] [/TR] [TR] [TD=align: center]Kaneva[/TD] [TD=align: center]High impact web application vulnerabilities[/TD] [TD=align: center]$100[/TD] [/TR] [TR] [TD=align: center]Mega[/TD] [TD=align: center]Web application vulnerabilities and crypto bugs affecting MEGA's online systems[/TD] [TD=align: center]Up to €10000[/TD] [/TR] [TR] [TD=align: center]Mozilla[/TD] [TD=align: center]Firefox, Thunderbird and selected Mozilla Internet-facing websites bugs[/TD] [TD=align: center]$500-$3000, plus Mozilla T-shirt[/TD] [/TR] [TR] [TD=align: center]Nokia[/TD] [TD=align: center]Vulnerabilities in all Nokia run services, applications and products excluding corporate infrastructure[/TD] [TD=align: center]$n/a[/TD] [/TR] [TR] [TD=align: center]PayPal[/TD] [TD=align: center]Web application vulnerabilities in www.paypal.com[/TD] [TD=align: center]$n/a[/TD] [/TR] [TR] [TD=align: center]Piwik[/TD] [TD=align: center]Flaws in Piwik web analytics software[/TD] [TD=align: center]$200-$500[/TD] [/TR] [TR] [TD=align: center]Qmail[/TD] [TD=align: center]Verifiable security holes in the latest version of Qmail[/TD] [TD=align: center]$5000[/TD] [/TR] [TR] [TD=align: center]Samsung[/TD] [TD=align: center]Security bugs in Samsung TV/BD[/TD] [TD=align: center]Starting from $500[/TD] [/TR] [TR] [TD=align: center]Tarsnap[/TD] [TD=align: center]Tarsnap bugs, affecting either pre-release or released versions[/TD] [TD=align: center]$1-$2000[/TD] [/TR] [TR] [TD=align: center]Yandex[/TD] [TD=align: center]Security vulnerabilities in Yandex's services or mobile applications, as specified on the terms and conditions page[/TD] [TD=align: center]$100-$1000[/TD] [/TR] [/TABLE]Vulnerability/Exploit Acquisition Programs[TABLE=width: 100%] [TR] [TD=bgcolor: #cccccc]Sponsor[/TD] [TD=bgcolor: #cccccc]Target[/TD] [TD=bgcolor: #cccccc]Reward[/TD] [/TR] [TR] [TD=align: center]BeyondSecurity SecuriTeam[/TD] [TD=align: center]High and medium impact bugs in widely spread software[/TD] [TD=align: center]$n/a[/TD] [/TR] [TR] [TD=align: center]Coseinc[/TD] [TD=align: center]Unpublished security vulnerabilities for Windows, Linux and Solaris[/TD] [TD=align: center]$n/a[/TD] [/TR] [TR] [TD=align: center]Digital Armaments[/TD] [TD=align: center]Vulnerability and/or exploit code for high value software[/TD] [TD=align: center]$n/a[/TD] [/TR] [TR] [TD=align: center]Exodus Intelligence Program[/TD] [TD=align: center]Vulnerability research acquisition program for unknown vulnerabilities affecting widely deployed software packages[/TD] [TD=align: center]$n/a plus yearly bonuses[/TD] [/TR] [TR] [TD=align: center]ExploitHub[/TD] [TD=align: center]Legitimate market-place for non-zero-day exploits[/TD] [TD=align: center]$50-$1000. Both one-time purchase payments as well as recurring monthly payments from site-license customers[/TD] [/TR] [TR] [TD=align: center]iSight Partners[/TD] [TD=align: center]Bugs in typical corporate environment applications[/TD] [TD=align: center]$n/a[/TD] [/TR] [TR] [TD=align: center]Netragard[/TD] [TD=align: center]0-day exploits against well-known software[/TD] [TD=align: center]$n/a[/TD] [/TR] [TR] [TD=align: center]Packet Storm[/TD] [TD=align: center]Exploits for 0-day and 1-day vulnerabilities in enterprise-grade software (Microsoft, Flash, Java, etc.)[/TD] [TD=align: center]$1000-$7000[/TD] [/TR] [TR] [TD=align: center]Secunia[/TD] [TD=align: center]Unknown vulnerabilities affecting stable and latest release of products. All classes of vulnerabilities are eligible.[/TD] [TD=align: center]From top-of-the range merchandise to an IT security conference pass and hotel accommodation[/TD] [/TR] [TR] [TD=align: center]TippingPoint ZDI[/TD] [TD=align: center]Undisclosed vulnerability research, affecting widely deployed software[/TD] [TD=align: center]$n/a plus awards and benefits, depending on the contributor's status[/TD] [/TR] [TR] [TD=align: center]VeriSign iDefence[/TD] [TD=align: center]Security vulnerabilities in widely deployed applications[/TD] [TD=align: center]$n/a[/TD] [/TR] [TR] [TD=align: center]White Fir Design[/TD] [TD=align: center]Bugs in WordPress code and plugins (with over 1 million downloads and compatible with the most recent WordPress)[/TD] [TD=align: center]$50-$500[/TD] [/TR] [/TABLE]Contributions are welcome! If you are aware of an initiative not listed here or you want to report an inaccuracy in your initiative, please leave a comment and we will update this page over time. In fact, the more people, the better. Just to clarify, we aim at indexing programs that are:Legal. Although black/gray market places exist, we don't certainly want to list them hereActive. We want to keep track of ongoing initiatives. Even time-limited programs are eligible, as long as they are still accepting submissionsPublic. All entries must have publicly available details. This may range from accurate guidelines and rules to just a simple sentence stating the nature of the incentive. It hence follows that we are going to report public information only. In case of cash rewards, the actual amount is reported whenever the min-max price paid is clearly statedReward-based. In most cases, entries are "cash-for-bugs" programs. However, any kind of tangible reward is eligible. "No More Free Bugs" versus "No More Cheap Bugs" disputes are not considered hereDisclaimer: we do not endorse, represent or warrant the accuracy or reliability of any of these programs. Posted by Luca Carettoni Sursa: Nibble Security: "No More Free Bugs" Initiatives Quote Link to comment Share on other sites More sharing options...
