5 large companies that use bug bounty programs

  • 26.03.2017
  • 7 min. read

A limited group of people, even security experts, is never able to deal with the thousands of black hat hackers who can potentially endanger companies operating in the online environment. However, disadvantages for businesses offering Internet products can be easily changed to their advantages. Just persuade part of the hackers to work for you. Bug bounty programs serve this purpose.

Bug bounty programs haven’t been invented in recent years. Companies have been aware of shortcomings in their online systems almost since the launch of the public Internet. Initially, however, the findings of security vulnerabilities were not paid for, and the only reward for the predecessors of “ethical hackers” was general recognition and gratitude. Today, the things work differently.

Why should you consider the bug bounty project?

The bigger turnover the company has, the more valuable and more important the online security is for the company. Rewards for ethical hackers represent, on average, 5% of the company’s budget for the development of IT projects. Although it can be hundreds thousands euros in international companies, it is always a good thing for companies. In the cyber attack, data could be lost, and the abuse would be even more expensive. Not to mention a story that is often irreparably damaged after a cyber attack.

A well-known victim of a cyber attack is, for example, Adobe. Due to an error in the security and thanks to intelligence of hackers, Adobe lost sensitive data of 36 million customers in 2013. Those were the login data (including originally encrypted passwords) and payment details of approximately 3.1 million users. The damage was virtually incalculable.

The leak of information from Yahoo servers is considered to be the biggest cyber attack in history. In September 2016, the company admitted that black-hat hackers stole data of 500 million users’ accounts from their system. In mid-December, Yahoo shocked the world with yet another revelation: in 2013, hackers stole data of 1 billion users from their database.

Today we will introduce bug bounty programs of 5 major companies and organizations. Each of you knows the companies and we want you to know how much they invest into online security.

5 large companies and organizations that have their own bug bounty programs


Facebook has been using its own bug bounty program for over 5 years. Their attitude to the work of ethical hackers is indeed exemplary. In the first half of 2016, Facebook reported more than 9,000 security flaws, with 149 hackers being awarded with total of $ 611,741. Since Facebook launched its own bug bounty program, 900 ethical hackers have been rewarded with more than $ 5 million.

In November 2013, the Brazilian computer expert Reginaldo Silva reported the big system bug to Facebook. It involved an OpenID authentication system that could be attacked remotely and sensitive user data could have been captured this way. In return for reveal of this error, he received  $ 33,500 reward from Facebook.


Google, currently owned by the parent company Alphabet, offers the ethical hackers the opportunity to join a number of bug bounty programs that are divided into several services. The biggest bug bounty program of the company focused on the domains google.com, youtube.com and blogger.com has been in operation since 2010. The individual security flaws discovered by ethical hackers are rewarded with $ 100 to $ 20,000 by Google.


Apple set up its own bug bounty program after the FBI requested access to locked and encrypted iPhone of attacker from a well-known American San Bernardino case in 2016. The program is only available to ethical hackers invited by Apple itself. Whoever gets an invite can search for the security flaws and be rewarded with up to $ 200,000.


The importance of comprehensive online security is also recognized by PayPal, company that proceeds hundreds of thousands of online payments worth millions of euros per day. For security mistakes found, PayPal pays an ethical hacker from $ 50 to $ 10,000. The company appreciates the most vulnerabilities connected with the leakage of sensitive data of its users.


Bug bounty programs may not serve only to commercial companies. Government organizations use the services of ethical hackers often, too. Pentagon’s bug bounty program is the proof. It has been in operation since 2016, and the US Department of Defense paid $ 100 to $ 15,000 for every security bug found.

Statistics from Pentagon bug bounty program (source: Hackerone)

Would you like to join?

To create your own bug bounty program today, you do not need an expensive team of security experts. The tips on how much you should invest in your security can be found in our blog section. Our experts will be happy to help you with the setup of your own project.



IT safety newsletter for companies

Want to keep your company safe? Sign up for our newsletter and get regular tips and updates from the world of online safety.

Sign up