Disclosure: This page contains affiliate links. If you click through and purchase an item, I may earn a commission. See my terms of service for details.
The first time I heard the word bounty was in a Star Wars movie. In Episode V: The Empire Strikes Back, Boba Fett, a bounty hunter, is asked by Darth Vader to capture Han Solo. As Darth Vader states, “There will be a substantial reward for the one who finds the Millennium Falcon. You are free to use any methods necessary, but I want them alive.” Working as a freelance bounty hunter, Fett catches Solo and delivers him to Vader. It’s unknown how much Fett earned for Solo’s capture, but it must have been a lot to make the galactic chase worthwhile.
As an affiliate marketer, it’s rare to talk in terms of bounties. Affiliates discuss things like clicks, impressions, conversions, sales, and links. However, Amazon’s affiliate program, Amazon Associates, has a bounty program. Associates can earn fixed advertising fees (bounties) when their referrals sign up for services and programs. For instance, if someone clicks on my Amazon affiliate link and registers for an Amazon Business account, I’ll earn $15.
What Is a Bug Bounty?
A bug bounty is a sum of money that is paid to a person who finds and reports a bug. A software “bug” is an error, flaw, failure, or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in an unintended way. The process of finding and fixing bugs is called “debugging” and often calls for techniques or tools to pinpoint bugs. Most bugs arise from mistakes and errors made in either a program’s source code or its design, or components and operating systems used by such programs. Bounties and issuing rewards/prizes are standard in IT circles.
Bug bounty programs are growing. Apple and Netflix have joined the bounty parade in recent years. Companies realize that bounty programs are cost-efficient and practical for recruiting security researchers to detect vulnerabilities. Secondly, bounty programs encourage ethical hacking over unethical hacking. By contrast, not having a program decreases the chances of finding bugs because fewer people will look for them. Software bugs increase the risk of exploitation by bad actors, which can lead to costly financial, legal, and PR disasters. Case in point, it seems like cryptocurrency exchanges are hacked daily with the result being user data stolen and bad press.
Depending on the magnitude of the bug discovery, the media may cover it. For example, many media outlets reported news about Grant Thompson’s Apple bug discovery (in part because Thompson was 14-years-old). Apple intends to compensate Thompson with a sum between $25,000 and $200,000. That’s a healthy amount of money and exceeds what many others make in other online activities.
Discussions about “making money online” typically exclude bug bounty programs, ethical hacking, penetration testing, and white hat activities. However, these are promising ways to earn a living online. Moreover, if you’re someone who is good at problem-solving or enjoys finding app design and development flaws, there are plenty of opportunities. For instance, many freelancers on Fiverr provide site and app fix-it services. Bug bounty and ethical hacking courses are available on many e-learning websites such as Coursera, which offers a Cybersecurity Specialization consisting of five courses.
Let’s explore several high paying and popular bug bounty programs. You’ll find many programs on crowdsourced security platforms like HackerOne, Bugcrowd, and Synack. Financial rewards are in U.S. dollars.
High Paying Bug Bounty Programs
- Apple – Up to $200,000
Apple Bug Reporter is a web-based tool that developers can use to report issues with Apple software and services, request enhancements to APIs and tools, and track the status of their feedback. Learn about the invite-only Apple bug bounty program.
- AT&T – Up to $20,000
AT&T’s bug bounty program applies to security vulnerabilities found within AT&T’s public-facing online environment. That includes AT&T’s websites, exposed APIs, mobile apps, and devices. Learn about the AT&T bug bounty program.
- Facebook (Instagram, WhatsApp, etc.) – Minimum of $500
Facebook recognizes and rewards security researchers who help it keep people safe by reporting vulnerabilities in its services. Monetary bounties for such reports are entirely at Facebook’s discretion. Learn about the Facebook bug bounty program.
- GitHub Security – Up to $20,000
GitHub’s bounty program acknowledges researchers and provides cash for their efforts. Learn about the GitHub bug bounty program.
- Google – Up to $31,337
Google has a vulnerability reward program for Google-owned web properties. Learn about the Google bug bounty program.
- Intel – Up to $250,000
Intel’s bug bounty program is open to the public. Any security researcher can take part and report potential security vulnerabilities in Intel branded products and technologies. Learn about the Intel bug bounty program.
- Libra Association (Facebook) – Up to $10,000.
The Libra Association is an independent, not-for-profit membership organization, headquartered in Geneva, Switzerland. The Libra Association governs Facebook’s cryptocurrency platform, Calibra, and crypto coin, Libra. Learn about the Libra bug bounty program.
- Microsoft – Up to $250,000
The Microsoft bug bounty program is designed to supplement and encourage research in specific technologies to better protect its customers and the broader ecosystem. Learn about the Microsoft bug bounty program.
- PayPal – Up to $30,000
PayPal’s bug bounty program has integrated with HackerOne. Learn about the PayPal bug bounty program.
- Salesforce – Up to $15,000
The Salesforce bug bounty program is one of the many efforts that contribute to the security of its products and customers. Learn about the Salesforce bug bounty program.
- Samsung – Up to $200,000
Samsung’s mobile security rewards program offers monetary rewards to improve the security of Samsung mobile products and services. Learn about the Samsung bug bounty program.
Programs on HackerOne and Bugcrowd
- Capital One
*Review programs to see if they pay cash rewards because not all do.