The Top Bug Bounty Programs


Disclosure: This page contains affiliate links. If you click through and purchase an item, I may earn a commission. See my terms of service for details.


The first time I heard the word bounty was in a Star Wars movie. In Episode V: The Empire Strikes Back, Boba Fett, a bounty hunter, is asked by Darth Vader to capture Han Solo. As Darth Vader states, “There will be a substantial reward for the one who finds the Millennium Falcon. You are free to use any methods necessary, but I want them alive.” Working as a freelance bounty hunter, Fett catches Solo and delivers him to Vader. It’s unknown how much Fett earned for Solo’s capture, but it must have been a lot to make the galactic chase worthwhile.

As an affiliate marketer, it’s rare to talk in terms of bounties. Affiliates discuss things like clicks, impressions, conversions, sales, and links. However, Amazon’s affiliate program, Amazon Associates, has a bounty program. Associates can earn fixed advertising fees (bounties) when their referrals sign up for services and programs. For instance, if someone clicks on my Amazon affiliate link and registers for an Amazon Business account, I’ll earn $15.

What Is a Bug Bounty?

A bug bounty is a sum of money that is paid to a person who finds and reports a bug. A software “bug” is an error, flaw, failure, or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in an unintended way. The process of finding and fixing bugs is called “debugging” and often calls for techniques or tools to pinpoint bugs. Most bugs arise from mistakes and errors made in either a program’s source code or its design, or components and operating systems used by such programs. Bounties and issuing rewards/prizes are standard in IT circles.

Bug bounty programs are growing. Apple and Netflix have joined the bounty parade in recent years. Companies realize that bounty programs are cost-efficient and practical for recruiting security researchers to detect vulnerabilities. Secondly, bounty programs encourage ethical hacking over unethical hacking. By contrast, not having a program decreases the chances of finding bugs because fewer people will look for them. Software bugs increase the risk of exploitation by bad actors, which can lead to costly financial, legal, and PR disasters. Case in point, it seems like cryptocurrency exchanges are hacked daily with the result being user data stolen and bad press.

Depending on the magnitude of the bug discovery, the media may cover it. For example, many media outlets reported news about Grant Thompson’s Apple bug discovery (in part because Thompson was 14-years-old). Apple intends to compensate Thompson with a sum between $25,000 and $200,000. That’s a healthy amount of money and exceeds what many others make in other online activities.

Discussions about “making money online” typically exclude bug bounty programs, ethical hacking, penetration testing, and white hat activities. However, these are promising ways to earn a living online. Moreover, if you’re someone who is good at problem-solving or enjoys finding app design and development flaws, there are plenty of opportunities. For instance, many freelancers on Fiverr provide site and app fix-it services. Bug bounty and ethical hacking courses are available on many e-learning websites such as Coursera, which offers a Cybersecurity Specialization consisting of five courses.

Let’s explore several high paying and popular bug bounty programs. You’ll find many programs on crowdsourced security platforms like HackerOne, Bugcrowd, and Synack. Financial rewards are in U.S. dollars.

High Paying Bug Bounty Programs
  • Apple – Up to $200,000

Apple Bug Reporter is a web-based tool that developers can use to report issues with Apple software and services, request enhancements to APIs and tools, and track the status of their feedback. Learn about the invite-only Apple bug bounty program.

  • AT&T – Up to $20,000

AT&T’s bug bounty program applies to security vulnerabilities found within AT&T’s public-facing online environment. That includes AT&T’s websites, exposed APIs, mobile apps, and devices. Learn about the AT&T bug bounty program.

  • Facebook (Instagram, WhatsApp, etc.) – Minimum of $500

Facebook recognizes and rewards security researchers who help it keep people safe by reporting vulnerabilities in its services. Monetary bounties for such reports are entirely at Facebook’s discretion. Learn about the Facebook bug bounty program.

  • GitHub Security – Up to $20,000

GitHub’s bounty program acknowledges researchers and provides cash for their efforts. Learn about the GitHub bug bounty program.

  • Google – Up to $31,337

Google has a vulnerability reward program for Google-owned web properties. Learn about the Google bug bounty program.

  • Intel – Up to $250,000

Intel’s bug bounty program is open to the public. Any security researcher can take part and report potential security vulnerabilities in Intel branded products and technologies. Learn about the Intel bug bounty program.

  • Libra Association (Facebook) – Up to $10,000.

The Libra Association is an independent, not-for-profit membership organization, headquartered in Geneva, Switzerland. The Libra Association governs Facebook’s cryptocurrency platform, Calibra, and crypto coin, Libra. Learn about the Libra bug bounty program.

  • Microsoft – Up to $250,000

The Microsoft bug bounty program is designed to supplement and encourage research in specific technologies to better protect its customers and the broader ecosystem. Learn about the Microsoft bug bounty program.

  • PayPal – Up to $30,000

PayPal’s bug bounty program has integrated with HackerOne. Learn about the PayPal bug bounty program.

  • Salesforce – Up to $15,000

The Salesforce bug bounty program is one of the many efforts that contribute to the security of its products and customers. Learn about the Salesforce bug bounty program.

  • Samsung – Up to $200,000

Samsung’s mobile security rewards program offers monetary rewards to improve the security of Samsung mobile products and services. Learn about the Samsung bug bounty program.

Programs on HackerOne and Bugcrowd

  1. Accenture
  2. Acorns
  3. Airbnb
  4. Alibaba
  5. AliExpress
  6. Android
  7. Apache
  8. Avast
  9. BBC
  10. Binance
  11. Capital One
  12. Chase
  13. Chrome/Chromium
  14. Cisco
  15. Coinbase
  16. cPanel
  17. Dashlane
  18. Dell
  19. DigitalOcean
  20. Django
  21. Dropbox
  22. eBay
  23. Ethereum
  24. Etsy
  25. Evernote
  26. Firebase
  27. GoDaddy
  28. Grammarly
  29. HubSpot
  30. Ikea
  31. Intercom
  32. com
  33. Kraken
  34. LinkedIn
  35. Mastercard
  36. Mozilla
  37. Netflix
  38. Nintendo
  39. js
  40. Oath
  41. Philips
  42. Pinterest
  43. Qualcomm
  44. Quora
  45. SAP
  46. Shopify
  47. Slack
  48. Sony
  49. Spotify
  50. Starbucks
  51. Stripe
  52. Twitter
  53. Uber
  54. Zapier

*Review programs to see if they pay cash rewards because not all do.


Chad Tennant

Chad is an online marketer, consultant, and publisher. He helps businesses and individuals achieve growth and financial success. Learn more at


158% Increase in Affiliate Commissions

Get a list of the 10+ programs I promote regularly. Also, receive emails containing similar content periodically.


Thanks for subscribing!