There are companies that They have rewards programsalso called «Bounty Programs»which reward hackers – a term that should not be confused with cybercriminal – with money who hack their systems or find vulnerabilities and security flaws. They thus receive very valuable help when it comes to discovering if something is wrong, so they can report it and repair it, rewarding the person who found the fault.
Technology giants like Google, Meta or Intel invite hacking experts - or any user - to try to enter their systems legally and look for errors. The operation of these programs varies depending on the company, here you will learn the details of some of them.
«Bounty Programs»: what they are and how they work
Hacking a private system can be a crime punishable by years in prison if the cybercriminal is proven guilty. However, when the rules change and the hacking is done with the company's authorization, the objective is ethical and with lucrative results. Learn which corporations implement Bounty Programs and how they apply them.
Apple
Apple has a reward program for ethical hackers, who in exchange for money try to find security flaws to report and have them fixed. Through the independent portal "Apple Security Bounty" it offers freedom to attackers to test the security of its latest versions of operating systems such as iOS, macOS and watchOS.
It is the company that offers the most money in rewards, with figures that can reach two million dollars. To be part of this program, you must enter the website https://security.apple.com/bounty/ and, from its list of eligible people, you must send a report on the selected vulnerability.
To qualify for the highest reward, you must be the first to report it clearly and concisely, maintaining the confidentiality of the case. The bug also cannot be published until Apple has released the update that fixes it.
Google has its own centralized program called "Vulnerability Rewards Program (VRP)", where it lists security flaws throughout its ecosystem, such as search engine, Android, YouTube, Chrome and more. To be part of this program, you must enter the website “https://bughunters.google.com/”, where the rules and requirements are shown.
There are vulnerabilities that are rewarded and there are others that are not, so if you want to receive money for your efforts, you should choose those that are paid. Google does not allow tools that generate massive or high-volume attacks during participation. Deceptive strategies such as "phishing" cannot be applied to attack company employees, and the private data of Google users must be respected.
The reward payment is divided depending on the impact generated by the failure. For example, the highest payment is $1,500,000 million and is aimed at a "full chain exploit" that compromises the Titan M security chip in Pixel phones.
Microsoft
Another technology giant that is betting on rewards for ethical hackers. Microsoft has its own program, called the “Microsoft Bug Bounty Program,” where researchers attack specific cloud products such as Azure, the Edge browser, or flaws in the Windows ecosystem.
To participate in the program, you must enter their website “https://www.microsoft.com/en-us/msrc/bounty” and generate a report of a listed vulnerability. The maximum reward offered by Microsoft is $250,000 to anyone who can report bugs in its Microsoft Hyper-V virtualization system.
Microsoft hosts special events so researchers can find live bugs and report them. In exchange, they receive instant rewards with cumulative jackpots of up to $5,000,000.
Goal
Meta has an internal program where it offers rewards in exchange for reporting vulnerabilities throughout its ecosystem of platforms. To participate, you must enter the website “https://bugbounty.meta.com/es-la/” and send a report.
Meta's team of engineers validates the information and evaluates the level of impact that the failure represents on its servers and its users. Depending on the magnitude, it assigns a reward, which can reach $300,000, with a minimum of $500 for minor failures.
Uber
Uber uses the external platform “HackerOne” to carry out its hacking program. bug bounty. To be part of it, you must enter the website "https://hackerone.com/uber", there locate a bug and report it.
It is valid for the Uber, Uber Driver, Uber Eats and Postmates applications. The company requires hackers not to attack the company's offices, nor carry out denial of service practices or any attempt at social engineering or phishing against its employees. Program participants cannot use their personal Uber accounts, they must use test accounts or an email prefix assigned to them by HackerOne.
Payment is made after the HackerOne engineering team verifies the bug, there is no need to wait for the bug patch or update to be released. Amounts can reach a maximum of $15,000 per reported error.
Intel
Intel uses its own bug bounty platform to operate. To be part of the program, you must enter the website "https://www.intel.com/content/www/us/en/security-center/bug-bounty-program.html". The company focuses its program on the hardware, microcode and firmware of its processors and physical components.
Payments depend on the level of vulnerability; ranging between 250 and 100,000 dollars. However, Intel has an exclusive $250,000 reward for anyone who can detect flaws linked to software-based side-channel attacks.
snapchat
The social network Snapchat operates its Bug Bounty program through the company HackerOne, which offers a direct website for the platform "https://hackerone.com/snapchat." Errors can be searched in the mobile application, web services and APIs, and its artificial intelligence.
Participants must use a test account and not a personal one. You must preserve the personal information of the users of the social network, since if they manage to enter the database by mistake, they must necessarily stop their operations.
Snapchat pays depending on the level of impact of the vulnerability, between $2,000 and $35,000. The company gives double bonuses to participants who discover security flaws in new releases.
Leave a Reply