A bug bounty program is a deal offered by many particularly prominent websites, organizations and software developers by which individuals can receive recognition and most importantly sizeable compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities. Among the giants that are offering this program are Apple, Facebook, Google and Oneplus.
Bug Bounty Program
In 2016 the bug bounty program offered by Apple was restricted for iOS and by invitation only. Apple has now opened its bug bounty program to all security researchers, offering rewards of $1 million or more. The program is open to the public and Apple has announced that iCloud, iPadOS, macOS, tvOS, and watchOS would be on the bug bounty list.
The lucrative rewards also call for a thorough and detailed description of the issue from the researcher’s side, and enough detail to allow Apple to reproduce it. The payouts are determined by the bugs discovered at different levels, the ones found in multiple Apple platforms, especially if the issue affects the latest Apple devices and software all come under the top payouts.
Bugs found in the beta version of a software grants the researcher a 50 percent bonus coupled with the standard reward price. Other potential payouts are for bypassing lock screens, extracting data from locked devices and unauthorized iCloud access. The highest paying among this is the researchers who are capable of taking over the whole device without any interaction from the user’s side.
Although Apple’s bug bounty program is a bit dated, it is still one of the most lucrative bug bounty programs even after the numerous new ones that the several tech giants have had it open for the public from the get-go.
Facebook has been very notorious regarding its privacy policies, and so it has been in the news a lot. And so the bug bounty program was very well warranted and launched back in 2011. Anyone can send a report and, receive a reward for helping lock down a company’s systems.
The bounty program offered by Facebook is one of the oldest and the most mature in the industry, it has amounted to a total of about $8 million in payouts. Data abuse is a major concern for Facebook and even the third-party developers associated with Facebook are scrutinized for the same, the researchers can then report the same and be rewarded accordingly.
Google’s Android bug bounty reward program was introduced in 2015, rewarding the researchers who find and report security issues to help keep the Android ecosystem safe. This program covers vulnerabilities discovered in the Pixel devices as well as the latest Android versions.
The most lucrative bounty offered under this program is the US $1 million one regarding Google’s Titan M chip, but the reward hasn’t been claimed yet as the distribution of the bounty has a discretionary aspect and certain terms and conditions attached to it. Some of the factors regarding the bounty in addition to the discretion of the committee at the place, are:
- A detailed writeup describing how the exploit works.
- The initial attack vector (i.e. remote exploitation versus local).
- Whether the exploit is device or build-specific, or whether it works across a broad set of builds and devices.
- The amount of user interaction required for the exploit to work.
- Whether the user could feasibly detect that an exploit is in progress or completed.
- How reliable the exploit is.
- Exploit chains found on specific developer preview versions of Android are eligible for up to an additional 50 percent reward bonus.
Google has been making waves in the field of cyber-security as in 2019 alone, it has paid out over US$1.5 million in bug bounty, wherein the top reward pay-out was US$ 161,337.
OnePlus has two different bug bounty programs available that offer sizeable payouts, the first one being the OnePlus Security response center, the program will pay out between $50 to $7,000 for the security bugs the researchers can find within Oxygen OS. The bounty is open to anyone and everyone, all you need to do is discover the OnePlus bug and then submit an online form describing the problem along with proof-of-concept and the bug report should not be plagiarised.
The second bounty program is run in partnership with a security platform called HackerOne. Wherein, only select HackerOne researchers will test out OnePlus products for potential security threats in a private setting. Although it is said that the program will be open to the public in 2020.
OnePlus has been reputed for providing a safe and flawless experience more or less but in the light of failure in the rollouts of Android 10 on OnePlus devices, the bug bounty program is very helpful.
Besides these giants, many other tech companies have been launching the bug bounty program these days where security concerns are on a record high, this ensures that people get compensated for outsmarting the loopholes while maintaining the safety of the systems made by these tech companies.