25 Awesome “Bug Bounty” Programs for Earning Pocket Money

Joel Lee 09-08-2016

A bug bounty is a monetary payout for finding and reporting security holes in software. If you have expertise in security protocols, you could make some extra pocket money hunting for bugs in popular apps and websites.


It’s also a great way to sharpen your skills and build your reputation as a security expert — to the point where you could be recruited by companies (or even the American government). Here are the best bug bounty programs available in 2016.

High-Payout Bug Bounties

For purposes of this article, a high-payout bug bounty is one that can potentially pay above $5,000 for a single report. In practice, earning such high-paying bounties can be extremely tough and reports can indeed result in much lower payouts.

1. Microsoft

Microsoft actually has five separate bug bounty programs as of this writing, with three of them marked as “Ongoing” and two of them having definite end dates. We’ll only list the Ongoing bounties below.

These are some of the best-paying bug bounties currently available.



2. Facebook

Facebook paid out over $1 million in 2014 to bug bounty hunters, which just goes to show how much money Facebook is willing to throw at their security holes. This company is serious about securing its platform.

3. Google

Google’s bug bounty program covers vulnerabilities across Google, YouTube, and Blogger. Note that there are tons of people hunting bugs for Google, so finding one with a big payout may feel like panning for gold.

  • Minimum payout is $100.
  • Up to $7,500 for severe client/session bugs.
  • Up to $20,000 for severe server-access bugs.

4. Chrome

Google also offers bounties for bugs found in the Chrome browser. Any bug that exists in the Stable, Beta, or Dev channels of Chrome, along with any bug that exists in a third-party component of Chrome, are eligible for rewards.

5. Pornhub

Regardless of how you feel about pornography Pornography Addiction: The Hidden Struggle & How to Break Free [Feature] Anon22 discovered Internet porn when he was just 12 years old. For around 10 years, Anon22 has enjoyed pornography using his computer once or twice a day, a compulsion that he claims ruined his social... Read More , it’s hard to deny that Pornhub’s recently-annoucned bug bounty program is enticing — and since it’s so new, there may be many bugs out there waiting to be discovered.

  • Minimum payout is $50.
  • Up to $5,000 for severe issues on Pornhub subdomains, blogs, and other related properties.
  • Up to $25,000 for severe issues on the Pornhub and Pornhub Premium sites as well as the Pornhub mobile app.

6. Yahoo

Despite the fact that Verizon recently acquired Yahoo Verizon Acquires Yahoo, Pokemon Go Breaks Records... [Tech News Digest] Yahoo has sold out, Pokemon Go is a record breaker, the Xbox One is going cheap, Netflix nabs new MST3K, and what happens at the end of Pac-Man? Read More , the bug bounty program is still going strong and there’s no news to indicate that it will be shutting down any time soon. In-scope properties include Yahoo, Flickr, Polyvore, and more.

  • Minimum payout is $50.
  • Up to $15,000 for severe issues.


7. Mozilla

Mozilla provides bug bounties for security holes in the following client software: Firefox, Firefox for Android, FirefoxOS, and Thunderbird. For the most part, only “security critical” bugs are eligible for bounties.

  • Minimum payout is $500.
  • Up to $2,000 for moderate issues.
  • Up to $7,500 for critical issues.
  • Over $10,000 for exceptional issues.

8. Dropbox

There are so many things you can do with Dropbox 15 Things You Didn’t Know You Could Do with Dropbox Cloud storage services have come and gone, but Dropbox is probably the one that's been here the longest. And now it has upped its game with a host of new features. Let's explore. Read More , including poke around for security holes. Eligible in-scope properties include the web, desktop, Android, and iOS clients for Dropbox as well as bugs in the Dropbox Core SDK and Dropbox Paper.

  • Minimum payout is $216.
  • Up to $10,000 for severe issues.

9. Uber

The announcement post for Uber’s Bug Bounty program lists a “treasure map” that gives you a great starting point for Uber’s public-facing services and what kind of security holes to look for.

  • Up to $3,000 for medium issues.
  • Up to $5,000 for significant issues.
  • Up to $10,000 for critical issues.

10. GitHub

GitHub has turned into one of the most important free collaborative tools for programmers 8 of the Best Free Collaborative Tools For Programmers If you're a programmer and you aren't yet sharing or collaborating, you're behind the curve. Reap the benefits of collaboration with the right web apps. Read More , so much so that GitHub disruptions are incredibly expensive for many companies. As such, it’s of utmost importance to keep it up and running.

  • Minimum payout is $200.
  • Up to $10,000 for severe GitHub API issues.
  • Up to $10,000 for severe GitHub Gist issues.
  • Up to $10,000 for severe GitHub site issues.

11. Avast

Avast didn’t make it onto our list of the best free security suites for Windows The 5 Best Free Internet Security Software for Windows Need antivirus, anti-malware, and real-time security? Here are the best free internet security software for Windows. Read More but it’s still a popular choice across the world. The bounty only applies to bugs found in the Avast software itself: Avast Free Antivirus, Avast Pro Antivirus, Avast Internet Security, and Avast Premier.

  • Minimum payout is $400.
  • Up to $10,000 for severe issues.



12. PayPal [No Longer Available]

PayPal has several different consumer-facing services An Introductory Guide to PayPal Accounts & Services PayPal offers a lot of services that you might not be aware of -- here's a guide to understanding some of the lesser-known options. Read More that all need to be vetted and maintained for maximum security, hence the bug bounty program. In-scope properties include PayPal’s subdomains, subsidiary sites like BillMeLater and Billsafe, and certain partner sites.

  • Minimum payout is $100 for partner properties.
  • Minimum payout is $750 for core properties.
  • Up to $1,500 for severe issues on partner properties.
  • Up to $10,000 for severe issues on core properties.

13. Coinbase

Coinbase is the world’s most popular destination for buying and trading alternative currencies like Bitcoin, Dogecoin, and other cryptocurrencies Why Bitcoin and Other Cryptocurrencies Will Become The Money Of The Future Will Bitcoin become the money of the future? Although it has had rough start, and there are security and social obstacles to overcome, could Bitcoin actually make the world a better place? Read More . If any site needs a bug bounty program, it’s one that handles as much money as Coinbase does.

  • Minimum payout is $100.
  • Up to $10,000 for severe issues.

14. Android

If you own a cutting-edge Google-made Android device and know how to hunt for security holes in the operating system, this program’s for you. As of this writing, eligible devices include the Nexus 5X, Nexus 6P, Nexus 9, and Pixel C.

  • Minimum payout is $200.
  • Up to $1,000 for low issues.
  • Up to $2,000 for moderate issues.
  • Up to $4,000 for high issues.
  • Up to $8,000 for critical issues.
  • Bonus: Between $10,000 and $50,000 if you can demonstrate an exploit that leads to compromises in the kernel, TEE TrustZone, or Verified Boot.

15. LINE

LINE is a popular free messaging app for mobile devices 5 Best Free Messaging Apps for Android Need a free way to send messages to friends and family with your phone for free? Check out these apps. Read More and anything related to communication is always a hotbed for bugs and exploits. These bug bounties only apply to the LINE Messenger mobile app and not to any LINE-related Family or Game apps.

  • Minimum payout is $500.
  • Up to $10,000 for severe issues.

16. Flash

It’s almost comical how many security vulnerabilities exist in Flash, so much so that it’s gotten to the point where using Flash is simply a bad idea Why Flash Needs to Die (And How You Can Get Rid of It) The Internet's relationship with Flash has been rocky for a while. Once, it was a universal standard on the web. Now, it looks like it may be headed to the chopping block. What changed? Read More . The good news is that you can get paid if you find one of these numerous vulnerabilities.

  • Minimum payout is $2,000.
  • Up to $10,000 for severe issues.

Low-Payout Bug Bounties

Why would anyone opt to spend time and effort seeking out a lower-paying bounty? Well, the smaller payout means that you’re competing against fewer people, which also means a greater likelihood of you finding bugs that haven’t been reported yet.

In the long run, you could actually make more money by hunting lower-payout bounties, especially if you don’t have the expertise to contend with the world class hackers who are hunting Google and Facebook bugs.


17. Python

It’s weird to think of a bug bounty existing for a programming language, but it’s true. The Internet Bug Bounty Panel offers rewards for security holes found in open source languages, including Python. Only bugs found in the core language and standard library are eligible.

  • Minimum payout is $500.
  • Over $1,500 for severe issues.

18. Apache

Apache’s HTTP server software powers over half of the websites on the internet. Want to help make websites a little bit safer and more robust? This is a great way to contribute.

  • Minimum payout is $500.
  • Up to $1,500 for important issues.
  • Up to $3,000 for critical issues.

19. Prezi

Prezi is one of the best alternatives to Microsoft PowerPoint 7 Free PowerPoint Alternatives for Your Presentation Needs Microsoft PowerPoint is great, but what if you can't afford it? Here are the best free PowerPoint alternatives for presentations. Read More available at this time. Bug bounties are available for all of Prezi’s web services and backend services, but are NOT available for Prezi’s desktop or mobile apps.

  • Minimum payout is $500.
  • Undefined increase in payout for severe issues.

20. Square

Square is a money transfer service and a payment processing service Credit Card Processing On Android: Best Tools For Accepting Payment Want to process credit card payments on your Android device? Here are the best tools for getting it done. Read More , and as mentioned before, any service that deals with money needs to be as secure as possible. In-scope properties includ Square’s web domains and mobile apps.

  • Minimum payout is $300.
  • Up to $3,000 for severe issues.

21. Django

The variety of bugs that qualify for Django’s bounty program may not be wide, but the payouts are more than reasonable. Beware that your bounty may be forfeit if you scan or test against Django’s servers.

  • Minimum payout is $250.
  • Up to $1,000 for low issues.
  • Up to $2,000 for moderate issues.
  • Up to $3,000 for severe issues.


22. Tumblr

This microblogging platform will pay you for finding bugs in any of its services or apps: Tumblr site, Tumblr API, Tumblr subdomains and services, and Tumblr mobile apps. Payouts are divided into three tiers.

  • Minimum payout is $200.
  • Up to $400 for major issues.
  • Up to $1,000 for critical issues.

23. Slack

The minimum bounty for this one might seem like peanuts but as long as the bugs you find are even remotely interesting, you’ll get a sizeable paycheck. In-scope properties include the Slack site, Slack API, and Slack’s web, desktop, and mobile clients.

  • Minimum payout is $50.
  • Over $100 for low issues.
  • Over $500 for medium issues.
  • Over $1,000 for high issues.
  • Over $1,500 for critical issues.

24. BrickFTP

BrickFTP is a file-hosting solution for businesses and corporations, so even if you’ve never heard of it before, just know that there are lots of people depending on its security. The payouts may not match Google or Microsoft, but they’re nothing to sneeze at either.

  • Minimum payout is $100.
  • Up to $1,000 for significant issues.

25. Spotify

If you love what Spotify offers Is Spotify Premium Worth Its Premium Price? Is Spotify Premium worth its premium price? Discover what Premium offers and whether you should upgrade from Spotify Free. Read More and you want to help out, you can find and report a few bugs for them. It doesn’t seem like they’ve paid out too many bug bounties yet (under 100) so that’s why it’s last on our list, but it’s still worth checking out.

  • Minimum payout is $250.
  • Up to $2,500 for severe issues.

It’s Time for War Against the Bugs

It’s one thing to practice good online security habits 8 Tips for Online Safety Used by Security Experts Want to stay safe online? Then forget everything you think you know about passwords, antivirus and online security because it's time to be retrained. Here's what the experts actually do. Read More and make sure that you properly secure your personal data 7 Ways to Secure Your Digital Data, According to Expert Shaun Murphy Data security and privacy is increasingly difficult to understand. How can we trust our data and messages are secure? To understand data security loopholes and how we can avoid them, we spoke with Shaun Murphy. Read More , but it’s a whole nother thing to use whatever expertise you have to help a company keep its data and protocols secure.

And if you’re good at it, you can earn a decent amount of pocket money — one big bounty per year is basically a part-time income. So why not give it a go?

How do you feel about bug bounty programs? Have you ever won a bounty yourself? Are there any bounty programs we missed? Let us know in the comments below!

Image Credits: Facebook via Shutterstock, Mozilla via Shutterstock, PayPal via Shutterstock, Python via Shutterstock, Tumblr via Shutterstock

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *