According to the NVD database, over 6000 vulnerabilities were published in Q2 of 2022. This is a really astonishing number considered that these are only the vulnerabilities with CVE assigned. There were plenty vulnerabilities found in the custom software that does not receive such ID. The rate the vulnerabilities are being found is not slowing down. That’s why ethical hackers that are searching for security flaws, are in high demand. And one of the ways how to bring together ethical hackers and companies that wants their systems to be tested, is the bug bounty platforms. So, today we are going to talk about the best bug bounty hunting platforms.
Why security researchers are participating in the bug bounties?
People are participating in bug bounties for many reasons. Some of them wants to quit the corporate job and be in control of when they work and how much they work. Others wants to learn. And for the others, this looks like an easy way to get rich. While this is definitely not a “get rich quick” method, a dedicated person can truly earn from this either by doing it full time or part time.
What Is the Purpose of the Bug Bounty Hunting Platforms?
Bug bounty platform is a place where various bug bounty programs are listed. The platform usually acts as bridge that brings companies that wants their systems to be tested, with ethical hackers, that wants to test the systems for a reward or recognition.
In a way, bug bounty platform is a man-in-the-middle.
Think of a bug bounty platform as a notice-board. Various companies had declared about their bug bounty programs and everyone could come and see what are those companies. Each of the postings has rules of engagement, targets in scope, and minimal and maximum payouts for the bounties.
Everyone can see this information (if the bug bounty program is public), and participate. Some of the benefits of such platforms is that you can use them to report vulnerabilities. After submitting a report, representative of the company to which you submitted vulnerability, will be able to review it, and accept or reject it.
Benefits of a bug bounty platform for security researchers:
- Listings of various vulnerability disclosure programs (VDP) in one place
- Rankings – you can easily compare how you stand with other platform users
- Reports of publicly disclosed vulnerabilities. This is beneficial to understand how report of specific vulnerability should look like, and to learn in general.
- Legal protection – you can participate in the programs legally without worrying about the consequences for doing the right thing.
Benefits of a bug bounty platform for companies:
- Exposes targets to a high number of penetration testers. This results in found vulnerabilities before it is exploited by malicious hackers
- The platform removes some of the administrative burden and assists assessing the findings that hackers had submitted reports
- Promotes the vulnerability disclose program to security researchers. The users are already there and they are working on different programs
How Popular Is the Bug Bounty Hunting?
It all started in the mid-90s when the Netscape created the first bug bounty program ever. At the time the bounty of 500 dollars was declared for the bugs. The same amount of money as a prize remained standard until 2010, when the Google started offering 1337 dollars for the higher severity vulnerabilities. Soon after that, bug bounties started gaining traction and potential payouts started to grow. And there we are – right now, Apple offers for up to 1 million dollars for the critical vulnerabilities.
And such bounties attracts security researchers. According to the Hacker-Powered Security Report: Industry Insights ’21, that is released by HackerOne, number of submitted bugs increases every year.
38 863 bugs were reported in 2020, and in 2021 this number increased by 10% – up to 42 805 bugs.
Money is also there. According to the same report, on average you can earn 3000 dollars for a critical vulnerability. This is 20% increase from the average amount in 2020.
So – are the bug bounties worth it?
It is for many different reasons:
- First of all, it’s a great way to learn.
- Secondly, this is rewarding financially (however you will unlikely get rich, especially if you are just starting).
- Thirdly, the community is awesome. There are so many great people you can learn from.
How to Choose a Bug Bounty Hunting Platform?
In order to have the answer, you must answer yourself a simple question – what is your goal?
Is your main goal is to learn?
Then the biggest bug bounty platforms, such as HackerOne, or Bugcrowd has many participating companies with big scopes. However, you can learn from any program, so you don‘t have to fixate on one platform. A good way to become good at hunting, is to read reports of other security researchers. HackerOne disclosed vulnerabilities comes handy in this matter.
Do you want to make the internet a better place?
If you want to make the public software safer, search for the vulnerabilities in open source. Open bug bounty is a project for the purpose.
Are you interested in blockchain bug bounties?
For this purpose there are dedicated bug bounty platforms. One of them is the Immunefi.
Are you a seasoned professional looking for the extra money?
Choose a private bug bounty programs where the competition is lower. While getting into the private bug bounty program is harder, the rewards might be better, and, usually, there is less competition. However, as the top notch talents are participating in the private programs, don‘t expect it to be easier to find vulnerabilities compared to the public programs.
These were just an examples, you can still learn, earn, and make the internet a safer place, while working on any bug bounty hunting platform.
And how do you choose a bug bounty program from a platform?
There is no correct answer.
If you are a beginner, and want to learn, you should not restrict yourself. You might pick one program, and then switch to another. A good idea would be to choose a program with many disclosed reports. In this way you can spend some time testing, and when you are familiar with the application you are testing, might check the reports and analyze if you’ve managed to find such vulnerability on your own.
But if you want to earn some extra money, you should look for the programs that have the least number of researchers. The reason for this is that the well established programs have many people searching for the bugs, and they probably have found many of them. So, there might be less vulnerabilities left. But of course you should also check the payouts for the disclosures, and how many of the reports resulted in the payouts.
Best Bug Bounty Platforms
The main criteria that determine the worth of the bug bounty hunting platform are the number of organizations on the platform and the number of participating users.
The more different companies trust the platform to implement their bug bounty program, the easier it is for the bug bounty hunter to choose what they want to work on.
And the large number of registered people shows that the platform is popular among searchers and is reliable. Choosing the platform might be difficult at first. If you are a beginner, just get started on one, try the other ones, and decide which one you like the most.
Another important thing to understand about the bug bounty platforms, is that there are private and public programs. In order to be invited to the private programs you will have to earn your name. But more on this later.
These are the best bug bounty platforms.
HackerOne is probably the most popular bug bounty platform. Founded in 2012, and based in San Francisco, California, HackerOne received funding in Series A, B, C, D, and E rounds. In the last funding round, Series E, HackerOne raised 49 000 000 USD. Being one of the pioneers of bug bounty platforms, HackerOne is one of the biggest names in the industry.
Some facts about the HackerOne:
- Over 1 million security researchers on the platform
- More than 294 000 vulnerabilities resolved through the system
- 1 000 companies are working with the HackerOne (although not all of them have vulnerability disclosure programs on the platform)
- Over 100 000 000 $ in paid bounties (as of May 2020)
- Has many public reports that is a great source of learning
Although recently HackerOne grabbed media attention because of the insider employe that was selling submitted bug reports, scandal, this is one of the most reliable and reputable bug bounty hunting platforms.
Bugcrowd is another bug bounty platform that is a huge name in the bug bounty industry. Founded in 2011, it is one of the first, and one of the largest platforms. Company was founded in Sydney, Australia, but right now they have different offices across the world with the HQ in San Francisco.
Various companies trusts Bugcrowd for hosting theirs vulnerability disclosure programs, and Bugcrowd also offers penetration testing services, and attack surface management.
Currently Bugcrowd has over 1400 bug bounty programs.
Intigriti is another popular bug bounty platform. It claims to be the most popular platform in Europe, and it has many European companies as their clients. Founded in Belgium in 2016, the company has made its name in the community. Intigriti is active with its blog – they have the Bug Bytes – periodical infosec news, and they are also actively engaging with the audience on Twitter.
While the Intigriti has less bug bounty hunters than the big guys, such as HackerOne, right now there are:
- About 400 active bug bounty programs
- About 50 000 security researchers
- Over 5 million in bounties were paid
Intigriti had secured over 21 million in Series B funding in 2022 April, and is growing year after year.
YesWeHack is another bug bounty platform founded in Europe – it is headquartered in Paris, France. The company has offices in France, Singapore, Switzerland, Germany.
Platform has 30+ different bug bounty programs.
While this is not the biggest platform out here, the company is gaining traction. In 2019 YesWeHack raised 4 million euros in Series A funding round. And in the 2021, platform had raised 16 million euros in Series B funding round.
Synack is a bug bounty platform you won’t get that easily on. Created in 2013 by former NSA agents Jay Kaplan and Mark Kuhr, Synack provides various cybersecurity services for the biggest companies. Synack also has private bug bounty programs for the security researchers, however in order to participate in them, you must prove yourself and apply for the seat in Synack Red Team.
One of the biggest advantages of the Synack, is that you can additionally get paid for other things than found bugs. Checklist work is also rewarded.
As the Synack takes care of the triage process, and pays the bounties themselves to the security researchers, the process is stable and consistent.
While you won’t become rich by participating in the Openbugbounty bug bounties, you have the chance to make internet a little bit safer place. Openbugbounty is a community-driven platform that connects security researchers that found the vulnerability in any website, with the website owners.
By the help of platform, over 1 259 000 disclosures were submitted, and over 905 000 of vulnerabilities were fixed.
Almost 1 600 bug bounty programs are on the platform, and over 3 165 websites can be tested.
To the date, the platform attracted over 28 000 security researchers.
If you are interested in Web 3.0 bug bounties, Hackenproof is a platform to go. The platform is dedicated entirely to the bounties of the crypto projects. The platform is created by Hacken – company that was founded in Kyiv, Ukraine in 2017, and since then it is delivering cybersecurity services with strong focus on blockchain security.
Currently there are 37 bug bounty programs on the platform. And the total reward pool for the bounties is over 553 000 USD. Programs had received over 5700 reports.
Immunefi is another bug bounty platform that is dedicated for Web 3.0 bug bounty programs. Founded at the end of 2020, Immunefi offers some of the biggest bug bounties in the industry.
Bug bounty programs of the Immunefi has payouts up to 10 000 000 USD.
In total, over 40 000 000 USD in bounties were paid out. And there is still over 132 000 000 USD potential bounties left.
As the Web 3.0 is an industry where a hack could cause tremendous financial losses, found vulnerabilities had averted over 20 billion USD hack damages.
If you are smart contract auditor, this is the platform you will find many smart contract bug bounties.
Does the Bug Bounty Experience „Counts“ as the Work Experience?
While there are some positions where formal education and certificates is a must, people with experience are more valuable than fresh graduates. And if you have bug bounty experience, you can prove that you are capable of finding underlying security issues.
Unfortunately, not every HR understands what are the bug bounties and how much of a gem is a person that has a track record of vulnerabilities found in bug bounties.
As the term ‘bug bounties’ might not mean anything for some people, when applying for jobs you must formulate the fact that you have experience in bounties, accordingly. Example:
Last 6 months I’ve spend searching for vulnerabilities in systems of companies in various industries (some of the companies: Google, Facebook, Yahoo). I’ve managed to find critical vulnerabilities, that, in total, were rewarded 15 000$.
This definitely explains more than the plain fact that you’ve participated in bountying.
How Hard Is to Earn Living by Being a Full Time Bug Bounty Hunter?
What is worth considering, is the experience you already have. If you do not have much IT experience, jumping directly to the bug bounties and expecting making a full time, is just not very smart.
The applications that are on the programs are „battle tested“. Internal security teams had already performed penetration tests before exposing targets to the public. So it is way harder to find vulnerability in such application.
If you did not have enough experience with penetration testing, you should keep your expectations low. Of course, you might get paid, but have to be extremely lucky, but in most of the cases this will not pay off financially. Keep in mind that many people are searching for the bugs on the same target. Some of the most popular bug bounty programs even have thousands of security researchers searching for the bugs.
Be aware of the burn out.
If you are a full time bug bounty hunter, you can easily burn out. And the reason for this is that the job is pretty technical. Also hackers have the mindset of not giving up and trying harder. But if you know how to keep the work-life balance, you will be fine. It is crucial to understand that life is more than bugs.
Another thing to consider before switching to full time bug bounty hunter, is that you will be working alone. Of course, the community is pretty supportive, and you can always talk with like-minded people on Twitter. But the fact is that you won‘t be working in a team, and you won‘t be communicating with people during your work (only when explaining your findings). If you are an extrovert that likes communicating, you might miss it sooner or later. Social isolation is a serious risk.
While bug bountying is a form of living, if you love hunting for vulnerabilities, you might consider becoming a penetration tester. Here I’ve written an article about penetration testing as a career.
Private vs Public Bug Bounty Programs
The main difference between private and public bug bounty programs, is that private ones are available for a smaller set of security researchers.
In order to be invited to the private bug bounty hunting programs, you must recommend yourself. And the best way to do so, is to have a track record of disclosed vulnerabilities.
By participating in bounties and having different vulnerabilities disclosed, you will receive an invitation. For example, if you are hunting on Hackerone and building your profile there, if you are successful enough, you will receive messages with invitations to the private programs.
The reason why these programs are private, is that the participating companies do not want to expose everything to public. Even though more testers would participate if the program was public, it also does provide more risk. Especially if it is a critical system for the company.
At the end it really does not matter what platform you choose. As long as you are hunting for the security bugs, you are progressing in your career. You can pick one or another platform from the list of best bug bounty platforms, gets yourself familiar with it, and if you want to to test another one, feel free to switch. After all these are just platforms. The most important thing is the enrolled companies. And some of the companies might be participating on different platforms.
Highly passionate about cyber security (penetration testing, bug bounty hunting, cybersecurity in general), and blogging. I am experienced in vulnerability assessments, penetration testing, various security audits, had worked with various clients, most of them were in finance sector. Currently holder of CompTIA Security+, CEH, CEH Practical, and CEH Master certificates.