A bug bounty is a monetary payout for finding and reporting security holes in software. If you have expertise in security protocols, you could make some extra pocket money hunting for bugs in popular apps and websites.

It's also a great way to sharpen your skills and build your reputation as a security expert -- to the point where you could be recruited by companies (or even the American government). Here are the best bug bounty programs available in 2016.

High-Payout Bug Bounties

For purposes of this article, a high-payout bug bounty is one that can potentially pay above $5,000 for a single report. In practice, earning such high-paying bounties can be extremely tough and reports can indeed result in much lower payouts.

1. Microsoft

Microsoft actually has five separate bug bounty programs as of this writing, with three of them marked as "Ongoing" and two of them having definite end dates. We'll only list the Ongoing bounties below.

These are some of the best-paying bug bounties currently available.

security-bounty-facebook-notifications
Image credit: JaysonPhotography via Shutterstock

2. Facebook

Facebook paid out over $1 million in 2014 to bug bounty hunters, which just goes to show how much money Facebook is willing to throw at their security holes. This company is serious about securing its platform.

3. Google

Google's bug bounty program covers vulnerabilities across Google, YouTube, and Blogger. Note that there are tons of people hunting bugs for Google, so finding one with a big payout may feel like panning for gold.

  • Minimum payout is $100.
  • Up to $7,500 for severe client/session bugs.
  • Up to $20,000 for severe server-access bugs.

4. Chrome

Google also offers bounties for bugs found in the Chrome browser. Any bug that exists in the Stable, Beta, or Dev channels of Chrome, along with any bug that exists in a third-party component of Chrome, are eligible for rewards.

  • Minimum payout is $500.
  • Up to $4,000 for information leaks.
  • Up to $15,000 for severe issues.
  • Bonus: $100,000 reward for anyone who can compromise a Chromebook or Chromebox in guest mode that persists between device reboots.

5. Pornhub

Regardless of how you feel about pornography, it's hard to deny that Pornhub's recently-annoucned bug bounty program is enticing -- and since it's so new, there may be many bugs out there waiting to be discovered.

  • Minimum payout is $50.
  • Up to $5,000 for severe issues on Pornhub subdomains, blogs, and other related properties.
  • Up to $25,000 for severe issues on the Pornhub and Pornhub Premium sites as well as the Pornhub mobile app.

6. Yahoo

Despite the fact that Verizon recently acquired Yahoo, the bug bounty program is still going strong and there's no news to indicate that it will be shutting down any time soon. In-scope properties include Yahoo, Flickr, Polyvore, and more.

  • Minimum payout is $50.
  • Up to $15,000 for severe issues.
security-bounty-mozilla-software

7. Mozilla

Mozilla provides bug bounties for security holes in the following client software: Firefox, Firefox for Android, FirefoxOS, and Thunderbird. For the most part, only "security critical" bugs are eligible for bounties.

  • Minimum payout is $500.
  • Up to $2,000 for moderate issues.
  • Up to $7,500 for critical issues.
  • Over $10,000 for exceptional issues.

8. Dropbox

There are so many things you can do with Dropbox, including poke around for security holes. Eligible in-scope properties include the web, desktop, Android, and iOS clients for Dropbox as well as bugs in the Dropbox Core SDK and Dropbox Paper.

  • Minimum payout is $216.
  • Up to $10,000 for severe issues.

9. Uber

The announcement post for Uber's Bug Bounty program lists a "treasure map" that gives you a great starting point for Uber's public-facing services and what kind of security holes to look for.

  • Up to $3,000 for medium issues.
  • Up to $5,000 for significant issues.
  • Up to $10,000 for critical issues.

10. GitHub

GitHub has turned into one of the most important free collaborative tools for programmers, so much so that GitHub disruptions are incredibly expensive for many companies. As such, it's of utmost importance to keep it up and running.

  • Minimum payout is $200.
  • Up to $10,000 for severe GitHub API issues.
  • Up to $10,000 for severe GitHub Gist issues.
  • Up to $10,000 for severe GitHub site issues.

11. Avast

Avast didn't make it onto our list of the best free security suites for Windows but it's still a popular choice across the world. The bounty only applies to bugs found in the Avast software itself: Avast Free Antivirus, Avast Pro Antivirus, Avast Internet Security, and Avast Premier.

  • Minimum payout is $400.
  • Up to $10,000 for severe issues.
security-bounty-paypal-mobile

12. PayPal [No Longer Available]

PayPal has several different consumer-facing services that all need to be vetted and maintained for maximum security, hence the bug bounty program. In-scope properties include PayPal's subdomains, subsidiary sites like BillMeLater and Billsafe, and certain partner sites.

  • Minimum payout is $100 for partner properties.
  • Minimum payout is $750 for core properties.
  • Up to $1,500 for severe issues on partner properties.
  • Up to $10,000 for severe issues on core properties.

13. Coinbase

Coinbase is the world's most popular destination for buying and trading alternative currencies like Bitcoin, Dogecoin, and other cryptocurrencies. If any site needs a bug bounty program, it's one that handles as much money as Coinbase does.

  • Minimum payout is $100.
  • Up to $10,000 for severe issues.

14. Android

If you own a cutting-edge Google-made Android device and know how to hunt for security holes in the operating system, this program's for you. As of this writing, eligible devices include the Nexus 5X, Nexus 6P, Nexus 9, and Pixel C.

  • Minimum payout is $200.
  • Up to $1,000 for low issues.
  • Up to $2,000 for moderate issues.
  • Up to $4,000 for high issues.
  • Up to $8,000 for critical issues.
  • Bonus: Between $10,000 and $50,000 if you can demonstrate an exploit that leads to compromises in the kernel, TEE TrustZone, or Verified Boot.

15. LINE

LINE is a popular free messaging app for mobile devices and anything related to communication is always a hotbed for bugs and exploits. These bug bounties only apply to the LINE Messenger mobile app and not to any LINE-related Family or Game apps.

  • Minimum payout is $500.
  • Up to $10,000 for severe issues.

16. Flash

It's almost comical how many security vulnerabilities exist in Flash, so much so that it's gotten to the point where using Flash is simply a bad idea. The good news is that you can get paid if you find one of these numerous vulnerabilities.

  • Minimum payout is $2,000.
  • Up to $10,000 for severe issues.

Low-Payout Bug Bounties

Why would anyone opt to spend time and effort seeking out a lower-paying bounty? Well, the smaller payout means that you're competing against fewer people, which also means a greater likelihood of you finding bugs that haven't been reported yet.

In the long run, you could actually make more money by hunting lower-payout bounties, especially if you don't have the expertise to contend with the world class hackers who are hunting Google and Facebook bugs.

security-bounty-python-language

17. Python

It's weird to think of a bug bounty existing for a programming language, but it's true. The Internet Bug Bounty Panel offers rewards for security holes found in open source languages, including Python. Only bugs found in the core language and standard library are eligible.

  • Minimum payout is $500.
  • Over $1,500 for severe issues.

18. Apache

Apache's HTTP server software powers over half of the websites on the internet. Want to help make websites a little bit safer and more robust? This is a great way to contribute.

  • Minimum payout is $500.
  • Up to $1,500 for important issues.
  • Up to $3,000 for critical issues.

19. Prezi

Prezi is one of the best alternatives to Microsoft PowerPoint available at this time. Bug bounties are available for all of Prezi's web services and backend services, but are NOT available for Prezi's desktop or mobile apps.

  • Minimum payout is $500.
  • Undefined increase in payout for severe issues.

20. Square

Square is a money transfer service and a payment processing service, and as mentioned before, any service that deals with money needs to be as secure as possible. In-scope properties includ Square's web domains and mobile apps.

  • Minimum payout is $300.
  • Up to $3,000 for severe issues.

21. Django

The variety of bugs that qualify for Django's bounty program may not be wide, but the payouts are more than reasonable. Beware that your bounty may be forfeit if you scan or test against Django's servers.

  • Minimum payout is $250.
  • Up to $1,000 for low issues.
  • Up to $2,000 for moderate issues.
  • Up to $3,000 for severe issues.
security-bounty-tumblr-mobile

22. Tumblr

This microblogging platform will pay you for finding bugs in any of its services or apps: Tumblr site, Tumblr API, Tumblr subdomains and services, and Tumblr mobile apps. Payouts are divided into three tiers.

  • Minimum payout is $200.
  • Up to $400 for major issues.
  • Up to $1,000 for critical issues.

23. Slack

The minimum bounty for this one might seem like peanuts but as long as the bugs you find are even remotely interesting, you'll get a sizeable paycheck. In-scope properties include the Slack site, Slack API, and Slack's web, desktop, and mobile clients.

  • Minimum payout is $50.
  • Over $100 for low issues.
  • Over $500 for medium issues.
  • Over $1,000 for high issues.
  • Over $1,500 for critical issues.

24. BrickFTP

BrickFTP is a file-hosting solution for businesses and corporations, so even if you've never heard of it before, just know that there are lots of people depending on its security. The payouts may not match Google or Microsoft, but they're nothing to sneeze at either.

  • Minimum payout is $100.
  • Up to $1,000 for significant issues.

25. Spotify

If you love what Spotify offers and you want to help out, you can find and report a few bugs for them. It doesn't seem like they've paid out too many bug bounties yet (under 100) so that's why it's last on our list, but it's still worth checking out.

  • Minimum payout is $250.
  • Up to $2,500 for severe issues.

It's Time for War Against the Bugs

It's one thing to practice good online security habits and make sure that you properly secure your personal data, but it's a whole nother thing to use whatever expertise you have to help a company keep its data and protocols secure.

And if you're good at it, you can earn a decent amount of pocket money -- one big bounty per year is basically a part-time income. So why not give it a go?

How do you feel about bug bounty programs? Have you ever won a bounty yourself? Are there any bounty programs we missed? Let us know in the comments below!

Image Credits: Facebook via Shutterstock, Mozilla via Shutterstock, PayPal via Shutterstock, Python via Shutterstock, Tumblr via Shutterstock