What's new

A Brief on Bug Bounty Programs & Tools

A Brief on Bug Bounty Programs & Tools​

Living in the era of Information technology one can ensure that security is the biggest concern for small, medium and large businesses. On a yearly basis companies invest a large amount of money on bounty programs which they refer to as Bug Bounty programs. This is where they give researchers, influencers and hackers an opportunity to hack/test against their systems to find out if there are bugs as well as vulnerabilities. A bug bounty program is a deal offered by these tech companies by which some can be rewarded for finding such issues. These programs allow the developers to discover and resolve these issues before the general public is aware of them, strengthen their product security and prevent incidents of widespread abuse.

Value of Bug Bounty Programs

Nowadays many firms are classifying bug bounty programs as a ‘critical business function’ and are conducting these procedures on regular basis. Because these risks tend to be high, companies are putting more and more funds into these programs and the demand for white, blue, gray, green, red hat and ethical hackers have become a necessity. Able to assists in exposing new threats, viruses, spyware & adware within their systems & programs these professionals are helping many these businesses to be secure on-line.

Top 8 Bug Bounty Programs & Tools used:


Github as an emerging community and tech giant that has its own bug bounty program since 2013. They also conduct bounty programs because they no only value their clients, they value the community. The minimum pay is $200 and maximum they pay $1000 for finding critical bugs in their systems.
Bounty link: https://bounty.github.com


A big name in USA and UK, Apple holds a big market share with its versatile products. In their first bounty program they would only entertain 24 security researchers but later opened their program(s) for all researches & hackers. There was no minimum bounty proposed by them but the task was to hack data protected by Apple’s Secure Enclave technology. The highest bounty given reached $200,000 for a security issues affecting its firmware.
Bounty Link: https://support.apple.com/en-au/HT201220


Bill Gates & Microsoft is a very reknowned name and we all know about their Windows, Ms-office , Team studio, Phones and other products, but the firm solely relies on in-house professionals in dealing with bugs, they don’t have big bounty program and offer only a bounty for online services and nothing else. The minimum payout is $15,000 dollars for critical bugs and $250,000 can be the maximum
Bounty Link: https://technet.microsoft.com/en-us/library/dn425036.aspx

Facebook & Instagram:

The number one website on planet earth with more than 1/3rd of the users nearly approaching 2 billion is quite generous in their bug bounty programs which they reward the researchers nicely. They claim to provide secure and hassle-free environment to their users. They have officially launched an opportunity for pentesters and defined the terms and conditions in a proper official manner. PS: They also own instagram currenly the world 3rd biggest site.
Bounty Link: https://www.facebook.com/whitehat

Google & Youtube:

The past 5 years it was a war of being number 1 with more revenue than anyone and owns a trillion dollar video business like youtube, Google is also generous like its competitor facebook in bug bounty terms. Google pays a minimum $100 dollars and maximum $31,337 depending on how critical the bug is.
Bounty Link: https://www.google.com/about/appsecurity/reward-program


This giant firm with yearly billion dollar revenue and also known to be responsible for running our PC’s with their microprocessors, Intel is also a big name in conducting bounty programs. The maximum payout that Intel offers is $500 minimum and $30,000 dollars for detecting critical bugs its system.
Bounty Link: https://security-center.intel.com/BugBountyProgram.aspx


As far as the giants are concerned, how can we forget the unsung hero in the field… yes, you guessed right it’s TWITTER. The social media platform targeting the whole world has recently paid Kedrisch for finding a vulnerability in February and was awarded a $7,560 bounty in March. The vulnerability was tied to Twitter’s ad platform, ads.twitter.com, a self-service platform that allows companies to promote tweets, accounts, and monitor advertising campaigns across the social network. They payout a minimum of $140 and $15,000 is the maximum
Bounty Link: https://support.twitter.com/articles/477159

Mozilla & Thunderbird:

Who can forget the most beloved browser of hackers enriched with hundred of extensions mozilla firefox. Ethical hackers and security researchers will be rewarded when they discover vulnerabilities in their hack prove system. But the bounty is only offered for bugs in Mozilla services, like Firefox, Thunderbird and other related applications and services. Minimum payout is $500 and $5,000 dollars is the maximum.
Bounty Link: https://www.mozilla.org/en-US/security/bug-bounty/


HackBar (Chrome, Firefox/Mozilla add-on)

A security auditing/penetration tool used help do security audits on a website (Cross Site Scripting – XSS and SQL injections, etc).
Hashing of MD5/SHA1/SHA256
Sandbox-ish textarea
Useful for most complicated/unreadable URL’s
Focus is on text that you currently have selectedIf you are interested in HackBar, you can find it:

Burp Suite

Burp Suite is an integrated security-testing platform for web applications. You can perform scans on and full crawls to any URL and covers over 100 generic vulnerabilities (injections, broken Auth & session Management, Cross-Site Scripting XSS, Direct Object Ref and more). This tool supports many kinds of attach insertion points and nested insertion points.

3 versions – Community (Free), Professional ($399) & Enterprise ($3,999)

If you are interested in Burp, you can find it:

DNS Discovery

This tool will run a comprehensive DNS Report on a domain. It’s done directly against the root servers (or TLD Servers). It’ll query each name server to make sure all DNS Servers respond. Also, it’ll measure their performance and audit the results against common best practices.

If you are interested in MX-Toolbox, you can find it here:


Wapiti is a command-line application also used to audit the security of websites and web applications. Operationally, Wapiti crawls web applications with black-box scans and looks for points where it can inject code. When Wapiti complies a list of URLs and the corresponding forms & inputs, it acts like a fuzzer (providing invalid, unexpected, or random data as inputs to a computer program).

If you are interested in Wapiti, you can find it here:


IronWASP (FREE and Open Source) checks for vulnerabilities of a website. This powerful tool, which is simple enough to be used by beginners, comes with modules (WiHawk – WIFI, XMLChor – XPATH injection Exploter, SSL Security Checker – Discovering vulnerabilities in SSL installations and more) bundled and that have been created by their community.

If you are interested in IronWASP, you can find it here:

Final Words:

While software manufacturers are hoping to be on the safe side by trying to stay current to bugs/threats they are also eager in fixing and patching their products and services to mitigate these newly discovered bugs. For all our readers we would recommend to always keep your operating system and programs up to date. It’s said that over 75% of all attacks use vulnerabilities in which a patch already existed… AND the system/program/application could have been patched months before the attack. According to Secure List (https://securelist.com/it-threat-evolution-q3-2018-statistics/88689/)
• Kaspersky Lab solutions blocked 947,027,517 attacks launched from online resources located in 203 countries.
• 246,695,333 unique URLs were recognized as malicious by Web Anti-Virus components.
• Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 305,315 users.
• Ransomware attacks were registered on the computers of 259,867 unique users.
• Our File Anti-Virus logged 239,177,356 unique malicious and potentially unwanted objects.
• Kaspersky Lab products for mobile devices detected:
1,305,015 malicious installation packages
55,101 installation packages for mobile banking Trojans
13,075 installation packages for mobile ransomware Trojans.