A look at the top HackerOne bug bounties of 2016

Everyone from porn providers to the US Army utilizes the platform -- but what are the most lucrative programs that have been hosted this year?

black-vine-header-imagecredsymantec.jpg
Symantec

Bug bounty programs are a way for software vendors to outsource web domain, app and network security beyond their own in-house security teams and acquire as many eyeballs on potential security problems as possible before they become exposed and exploited by attackers.

Apple, Microsoft, Google and others run their own invite-only and open bug bounty schemes, with rewards sometimes reaching as high as $200,000 for the most severe flaws which could jeopardize users.

However, companies can also now outsource their bug bounty programs, too -- and often offer lucrative financial rewards to entice researchers to investigate their products.

While a number of private, invite-only bug bounty programs hosted on bug bounty program HackerOne are offering rewards of up to $30,000 for the most severe security flaws, researchers can still receive respectable rewards through public bounties.

HackerOne considers the bug bounties below as 2016's most competitive programs.

1. PornHub

PornHub's bug bounty program, launched in May this year, has already accepted reports and thanked 311 hackers for their efforts in finding security flaws in the porn provider's web domains.

The top reward for this program, $20,000, was awarded to researcher Static for reporting a remote execution flaw in July.

In total, PornHub has awarded cash prizes reaching a total of $150,420 for bug disclosures -- with the service being hacked only days after the bug bounty program was launched.

2. LocalTapiola

The Finnish insurance giant's bug bounty scheme, launched roughly eight months ago, has resulted in hackers being awarded some of the most competitive lures on the platform.

One security researcher recently received $18,000 for the disclosure of a critical flaw, and $50,000 is on offer for any hacker able to find serious, out-of-scope bugs.

While this maximum amount is yet to be claimed, bug reports went up by 50 percent when LocalTapiola pushed up the reward scale. In total, 38 reports have been resolved and 40 hackers have been thanked.

3. Twitter

Microblogging platform Twitter's bug bounty program has proven to be a popular avenue for security researchers looking to make some extra cash.

Over 365 hackers have submitted security flaws with 549 issues resolved. Six months ago, one hacker was awarded $15,120 for reporting a critical bug.

In total, $561,980 has been paid out through the HackerOne platform.

4. Snapchat

Snapchat's bug bounty scheme, launched two years ago, is a relatively successful program which has resulted in 125 security researchers being awarded over $70,000 to date. The minimum available for a valid bug report is $100, but some researchers have earned $10,000 out of a $15,000 maximum award.

5. Uber

Taxi-hailing service Uber's bug bounty program, with a response time of around a day, asks researchers to find bugs in both Uber's web interface and app, ranging from cross-site forgery (XSS) issues to remote code execution.

To date, 466 hackers have been thanked and the top rewards are worth $10,000. The average bounty is between $759 and $1,000.

6. Hack the Pentagon

Hack the Pentagon was the US government's foray into bug bounty programs. The program ran for 24 days in March, resulting in 138 vulnerabilities being taken care of and $70,000 awarded to researchers. The highest bug bounty reward was $3,500, with the average bounty worth $588.

The program proved to be enough of a success that Hack the Army was born, a program designed to challenge researchers to find security flaws in the US Army's front-facing systems in return for thousands of dollars in rewards.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All