Thursday, September 20, 2012

List of Bug Bounty Programs

Bug Bounty Program a well known topic is on the heat these days, known companies like: Google, Facebook, Mozilla are paying for finding a vulnerabilities on their web servers, products, services or some associated applications. Here is a list for all the Security Researchers and Bug Hunters to target all the best :)

Bug Bounty Websites for Web Application Vulnerability

Mozilla
security@mozilla.org
http://www.mozilla.org/security
http://www.mozilla.org/projects/security/security-bugs-policy.html
http://www.mozilla.org/security/announce

Google
security@google.com
https://www.google.com/appserve/security-bugs/new?rl=xkp7zert49a5q6owod28bhr2

Facebook
http://www.facebook.com/whitehat/bounty

Paypal
sitesecurity@paypal.com
https://cms.paypal.com/cgi-bin/marketingweb?cmd=_render-content&content_ID=security/reporting_security_issues

Etsy
security-reports@etsy.com
http://www.etsy.com/help/article/2463

Wordpress
http://www.whitefirdesign.com/about/wordpress-security-bug-bounty-program.html

Commonsware
http://commonsware.com/bounty.html

CCBill
http://www.ccbill.com/developers/security/vulnerability-reward-program.php
http://www.ccbill.com/developers/security/rewards.php

Vark
http://www.vark.com

Windthorstisd
http://www.windthorstisd.net/BugReport.cfm


Bug Bounty Websites for Products Vulnerability

Mozilla
http://www.mozilla.org/security
http://www.mozilla.org/security/known-vulnerabilities/firefox.html

Google Chrome
http://www.chromium.org/Home/chromium-security/vulnerability-rewards-program

Zero Day Initiative
http://www.zerodayinitiative.com

Barracuda
bugbounty@barracuda.com
http://www.barracudalabs.com/bugbounty
http://www.barracudalabs.com/bugbounty/halloffame.html

Artifex Software
http://www.ghostscript.com/Bug_bounty_program.html

Hex Rays
http://www.hex-rays.com/bugbounty.shtml

Ardour
http://ardour.org/bugbounty

Piwik
http://piwik.org/security


Hall of Fame & Responsible Disclosure Websites(No Bounties)

Microsoft

http://technet.microsoft.com/en-us/security/cc308589
http://technet.microsoft.com/en-us/security/cc308575
http://technet.microsoft.com/en-us/security/cc261624
http://www.microsoft.com/security/msrc/default.aspx
http://technet.microsoft.com/en-us/security/ff852094.aspx

Apple
product-security@apple.com
http://support.apple.com/kb/HT1318
https://ssl.apple.com/support/security/

Adobe
http://www.adobe.com/support/security/bulletins/securityacknowledgments.html
http://www.adobe.com/support/security/alertus.html

IBM
http://www-03.ibm.com/security/secure-engineering/report.html

Twitter
https://twitter.com/about/security
http://support.twitter.com/groups/33-report-abuse-or-policy-violations/topics/122-reporting-violations/articles/477159-how-to-report-xss-api-and-other-security-vulnerabilities#
https://support.twitter.com/forms

Dropbox
security@dropbox.com
https://www.dropbox.com/security
https://www.dropbox.com/special_thanks

Yahoo
security@yahoo-inc.com

http://security.yahoo.com/article.html;_ylc=X3oDMTFwMGI4cDJnBF9TAzU2NTAwMDAwMgRhaWQDMjAwNjEyMDUwMQRjbmFtZQNZb3VyIFNlY3VyaXR5IG9uIFlhaG9vIQ--?aid=2006120501

Cisco
http://tools.cisco.com/security/center/home.x#~alerts

Moodle
http://moodle.org/security

Drupal
http://drupal.org/security-team

Oracle
http://www.oracle.com/us/support/assurance/reporting/index.html

Symantec
http://www.symantec.com/security

Ebay
http://pages.ebay.com/securitycenter/Researchers.html

Twilio
http://www.twilio.com/blog/2012/03/reporting-security-vulnerabilities.html

37 Signals
http://37signals.com/security-response

Salesforce
http://www.salesforce.com/company/privacy/disclosure.jsp

Reddit
http://code.reddit.com/wiki/help/whitehat

Github
http://help.github.com/responsible-disclosure/

Ifixit
http://www.ifixit.com/Info/responsible_disclosure

Constant Contact
http://www.constantcontact.com/about-constant-contact/security/report-vulnerability.jsp

Zeggio
http://www.zeggio.com

Simplify
http://simplify-llc.com/simplify-security.html

Team Unify
http://www.teamunify.com/__corp__/security.php

Skoodat
http://www.skoodat.com/Security

Relaso
http://relaso.com/disclosure

Moduscsr
http://www.moduscsr.com/security_statement.php

Cloudnetz
http://cloudnetz.com/Legal/vulnerability-testing-policy.html

Emptrust
http://www.emptrust.com/Security.aspx

Apriva
http://www.apriva.com/security

Amazon
http://aws.amazon.com/security/vulnerability-reporting

SqaureUp
https://squareup.com/security/levels

G-Sec
http://www.g-sec.lu/responsible.disclosure.policy.html

Xen
security@xen.org
http://wiki.xen.org/wiki/Security_Announcements
http://www.xen.org/projects/security_vulnerability_process.html

Engine Yard
http://www.engineyard.com/legal/responsible-disclosure-policy

Lastpass
https://lastpass.com/support_security.php

RedHat
https://access.redhat.com/knowledge/articles/66234

Acquia
https://www.acquia.com/how-report-security-issue

Mahara
security@mahara.org
https://wiki.mahara.org/index.php/Security


Zynga
security@zynga.com
http://company.zynga.com/security/whitehats

Risk.io
https://www.risk.io/security

Opera
http://www.opera.com/security/policy
https://bugs.opera.com/wizarddesktop
http://my.opera.com/securitygroup/blog/2013/04/05/thanks-to-the-researchers

Owncloud
http://owncloud.org/security/policy
http://owncloud.org/security/hall-of-fame

Scorpion Soft
security@scorpionsoft.com
http://www.scorpionsoft.com/company/disclosurepolicy


Norada
http://norada.com/norada/crm/security_response

Cpaperless
http://www.cpaperless.com/securitystatement.aspx

Wizehive
http://www.wizehive.com/security
http://www.wizehive.com/special_thanks.html

Tuenti
http://corporate.tuenti.com/en/dev/hall-of-fame

Nokia Siemens
http://www.nokiasiemensnetworks.com/about-us/responsible-disclosure

Sound Cloud
http://help.soundcloud.com/customer/portal/articles/439715-responsible-disclosure

HTC
security@htc.com

http://www.htc.com/www/terms/product-security

Neohapsis
http://www.neohapsis.com/disclosure.php

Nokia
security-alert@nokia.com
http://www.nokia.com/global/security/security
http://www.nokia.com/global/security/acknowledgements


BlackBerry
secure@blackberry.com
https://www.blackberry.com/profile/?eventId=8322
http://us.blackberry.com/business/topics/security/incident-response-team/collaborations.html

Heroku
security@heroku.com
https://policy.heroku.com/security

Chargify
security@chargify.com
https://chargify.com/security

Zendesk
security@zendesk.com
http://www.zendesk.com/company/responsible-disclosure-policy

Lookout
security@lookout.com
https://www.lookout.com/responsible-disclosure

Puppetlabs
security@puppetlabs.com
http://puppetlabs.com/security
https://puppetlabs.com/security/acknowledgments
https://puppetlabs.com/blog/responsible-disclosure-of-security-vulnerabilities

Gliph
https://gli.ph/s/security.html

4 comments:

  1. Hello Ajay. Thanks for this list. I've been following your work across the bug bounty programs. Can I send you an email about a new startup in the bug bounty space and get your feedback? Cheers, Ash

    ReplyDelete
    Replies
    1. Hello Ash, you are welcome, am glad to know that :). Yes sure you can email me about the new startup in the bug bounty space I will give you my feedback. Thanks, Ajay.

      Delete
  2. Hey Ajay thank for posting valueable information here.The Bug Bounty is really a scary word for me.Ajay can you tell me is Bug Bounty is one of the reason for fake visrus attack like Win32:Sirefef ??coz faced a problem and it seems like its a reason for that.

    ReplyDelete
    Replies
    1. Hi Andrea, my pleasure. I didn't understand why the Bug Bounty is an scary word for you :). Andrea I don't think Bug Bounty can be a reason for any fake virus attack like you have mentioned, but as many times people use many software which are not genuine or not been downloaded from a reliable source or many times people visit malware infected website so these can be the reason for Win32:Sirefef virus attacks, if you have faced this problem then you can resolve it also using any gud security suite etc, let me know if you are still facing that problem. Actually there could be lot more possibilities for these kinda virus attacks. And there is no relation of bug bounties for it.

      Delete

You Have Successfully Posted the Message.