Using bug bounty programs in Europe

  • 01.06.2018
  • 8 min. read

Security testing through bug bounty programs has been present in the world for decades. Although its history is longer in the Anglo-Saxon world, it has started to appear in Europe over time.

Companies have two options for this type of security testing. They can create their own bug bounty program and run it on their own or use the services of one of the bug bounty platforms that helps them create and manage their bug bounty project.

Bug bounty platforms offer several benefits – they eliminate the need to employ another specialist to manage such a project, they have registered a larger number of ethical hackers and due to their geographical diversity they are suitable for companies also on the legislative part. This is the very reason why companies choose a bug bounty program from their area.

Zdroj: Pixabay

Bug bounty programs and legislation in Europe

European bug bounty programs are based on European legislation. Their advantages include, for example, the foreclosure of non-EU secret services, often lower fees, a higher number of highly qualified white hat hackers from Europe, or a simpler possibility of personal consultation if a specific bug bounty program is needed.

Zdroj: Pixabay


GDPR legislation should play a vital role the decision-making process of companies operating in Europe. In the EU, it sets out a number of rules and obligations for working with sensitive data. Their violations might cause the high fines for the companies. Similarly, it is also a good idea for some companies to place the bug bounty platform servers across Europe.

European bug bounty platform

Currently, you can find multiple platforms for bug bounty programs in Europe. It is, of course, Hacktrophy, the first Central European bug bounty program, founded by representatives of Citadelo, Nethemba and ESET, but there are also other European bug bounty platforms such as Wavestorm, TestBirds, Yogosha, YesWeHack (, Intigriti, Zerocopter and many others.

Our goal is to show that even today in Europe we have a wide range of bug bounty programs and therefore it is not a rare way to test online security. On the contrary, it is already being used by companies of all sizes and areas. We have selected representative examples for you to show that the bug bounty program is also suitable for testing your online security.

Banks and financial institutions

Within the banking sector, online security is one of the pillars of business. User demands for securing their services are higher each year, and the companies are also aware of that. That is why many banks and financial companies in Europe use some form of bug bounty program:

Bank N26 – German bank N26 tests the security of its website but also mobile applications with a public bug bounty program. The maximum reward for finding a critical vulnerability is $ 2000.

De Nederlandsche Bank – The Dutch bank DNB also runs its own bug bounty program. It tests all its systems in it, but does not disclose pre-defined wages for finding vulnerabilities.

Trust Pay – payment gatewayTrust Pay has its own bug bounty program based on the Hacktrophy platform. Ethical hackers can earn up to € 1000 for reporting significant vulnerabilities.

Insurance companies

The portfolio of life and non-life insurance is as attractive target for cyber attacks as banking accounts. In Europe, therefore, many companies test their IT security with bug bounty projects, for example:

NN Insurance Company – Dutch NN Insurance Company offers a private bug bounty program to test the security of all systems. It offers detailed descriptions of test subjects and permitted techniques as well as reporting conditions.

ING – In addition to a detailed description of security vulnerabilities for clients, ING also offers rewards for finding vulnerabilities. Ethical hackers and attentive users can report them directly to an insurance company, and they will be paid a relevant reward.

Stock exchanges and cryptmarkets

Financial flow and commodity trading are exciting targets for black-hat hackers. All stock exchanges should therefore ensure the highest possible security of their systems. An example of this is the German exchange, which offers its own bug bounty program with interesting rewards.

You should also notice peter-to-peer BTC & LTC Cryptographic Exchange Hodl Hodl, which offers a reward of up to 1300 EUR in its new bug bounty project.

Industry and OEM manufacturers

In Europe, several industrial and OEM manufacturers have their headquarters. Many of them offer bug bounty programs. Among them, there are renowned brands like:

Schneider Electric – The electronics manufacturer offers a bug bounty program for reporting vulnerabilities in its systems and products. Reports are evaluated by the manufacturer’s own CPCERT.

Philips – a well-known Dutch manufacturer is testing its security with a public bug bounty program. In addition to financial rewards, it offers also Hall of Fame for all ethical hackers who have discovered significant security vulnerability in some of their products.

Bosch – This German engineering and energy company has its own security PSIRT team, but it also receives reports on vulnerabilities in its own security program.

Software companies

If we are talking about IT security, it should be logically a primary interest to companies that operate in the IT sector. There is a number of such companies in Europe, but they also test security using bug programs or vulnerability reporting programs:

SAP – You probably know SAP. Today it operates in several European as well as non-European countries and delivers advanced business solutions. Its has a team that takes care of its security, but it also work with reports reported by public.

Schuberg Philis – Dutch IT company Schuberg Philis offers its own program for reporting security vulnerabilities. Proactive users who find bugs in their systems will be rewarded a 50 € voucher or champagne.

Hostinger, a German hosting provider, also takes care of its security that is proved by its own bug bounty program for reporting vulnerabilities. The minimum reward is $ 50, the upper limit of the rewards is not set.


Smartphone manufacturers, operators and companies offering their services in the telecom sector offer generally attractive bonuses to find vulnerabilities in their products or services.

Deutsche Telekom – one of Europe’s largest operators and member of Telekom Group – Deutsche Telekom – offers a bug bounty program to test its own website: It specifies 5 types of vulnerabilities that are relevant to operator reporting.

Orange – French operator Orange has its own CERT team, but for a long time it has been offering also its own bug bounty program. While the operator has also run a public bug bounty program over the past years, it now offers only a private security testing program (invitations only).

NOKIA – also one of the world’s leading mobile and telecommunication manufacturers – Finnish Nokia – has its own program to report security vulnerabilities. Contributors are listed in the Hall of Fame section on their website.

Telenet – Belgian mobile operator Telenet offers its own bug bounty program with rewards that depend on the type of vulnerability found. Details can be found on the operator’s website.

Vodafone – The Dutch branch of the Vodafone operator also has a program to look for security vulnerabilities. Although you will not get a financial reward in case you find a bug in the system, the operator will reward you with a gift and a thank you note.

Swiscomm – Swiss Telco & IT company with over 20,000 employees runs its own bug bounty program. The amount of rewards is based on the type of vulnerability found.

Security companies

Security businesses also need to test the security of their own systems. That’s why we find a number of interesting bug bounty programs in companies in Europe, which, in the normal situation, test the security of other companies.

Hacktrophy – we care about our online security. In order to find vulnerabilities in our bug bounty platform, we offer financial rewards up to 700 EUR.

AVG – a company known for its antivirus solution, AVG tests its security, among other things, with a public bug program bounty of up to EUR 1000.

Avast – Although Avast and AVG today form one company, both of the (subsidiary) companies offer their own bug bounty program. The one of Avast is also quite interesting, because it offers rewards up to $ 10,000.


Today’s online security is also about companies that focus on transport. Through the Internet, they do not sell only travel tickets, but also other products and services to customers. Many of their systems are, moreover, dependent on online communication, and must therefore be guaranteed to run smoothly.

Lufthansa – German carrier Lufthansa offers, in addition to transport, its own internet shop with various products and services for customers. Company decided to test its security by using the bug bounty program.

Brussels Airlines – A full-fledged program for security vulnerabilities is also offered by Brussels Airlines. Unlike Lufthansa, in this case the bug bounty program also concerns the main carrier site, which also offers ticket sales. Rewards for ethical hackers amount to up to € 5,000.

Car producers

After the Jeep has been hacked,  the security of automobile systems has become the topic of discussions. Car manufacturers are using increasingly advanced systems, often controlled over the Internet as well. So it is no wonder that even in Europe some of them are starting to test IT security through a public bug bounty program.

Fiat Chrysler Automobiles (FCA), a carmaker based in UK, has its own bug bounty program that tests not only websites and mobile apps, but also the individual intelligent parts of their cars.

Parliaments and governmental organizations

European Commission – the European Commission’s first bug bounty program is a little less traditional. In particular, it uses open source software, whose authors often do not have the money to test their security more successfully. That’s why the EC has created its own bug bounty program that tests the security of open source solutions it uses – such as the VLC media player.

Dutch Cybernetic Security Center  (NCSC) – also the Dutch state administration tests its security using the bug bounty program. Rewards for finding vulnerabilities are various – from T-shirts to  € 300 vouchers for an extremely dangerous error in the NCSC system.

Other industries

Healthcare: La Roche Ltd. – A well-known manufacturer of medicines and medical aids – La Roche, also has a bug bounty program. Its goal is to test the security of several dozen websites that the manufacturer operates.

Online presentations: Prezi – the Prezi system for creating interactive presentations by the most famous companies and recognized companies (e.g. Harvard). As it is an online service, Prezi also has its own bug bounty program.

Your bug bounty program

Every day, more than 5 million sensitive data are leaked on the Internet. Many of these leaks are caused by weak security of your business network or device. The Bug Bounty program is a cost-effective and time-saving long-lasting form of security testing.

You also need to test your IT security under the new GDPR Regulation, which has already entered into force in Slovakia. Failure to comply with itd rules will entail high financial penalties, not to mention the funds needed to repair the damage caused by a successful hacker attack.

Create your own bug bounty program and increase your security by having ethical hackers looking for security vulnerabilities.


IT safety newsletter for companies

Want to keep your company safe? Sign up for our newsletter and get regular tips and updates from the world of online safety.

Sign up