In 2019, the State of Security published its most recent list of essential bug bounty frameworks. Numerous organizations and government entities have launched their own vulnerability reward programs (VRPs) since then. COVID-19 has changed the digital security landscape, as well. With that in mind, it’s time for an updated list.

Here are 10 essential bug bounty programs for 2020.

10. Apple


Minimum Payout: $5,000

Maximum Payout: $1 million

First announced at Black Hat USA 2016, Apple’s bug bounty program originally welcomed just two dozen security researchers who had previously reported vulnerabilities they had found in the tech giant’s software. The tech firm later opened its bug bounty program to all security researchers, as reported by The Verge in December 2019.

Apple will pay $25,000 for flaws that could allow an actor to gain unauthorized access to a user’s iCloud account. Meanwhile, it will hand over $100,000 to those who can partially extract data from a locked device after first unlock. The highest bounty comes in at $1 million for a zero-click remote chain with full kernel execution and persistence.

9. Facebook


Minimum Payout: $500

Maximum Payout: No predetermined amount

Those wishing to qualify for a reward in Facebook’s bug bounty program can report a security issue in Facebook, Atlas, Instagram, WhatsApp and a few other qualifying products and acquisitions. There are a few security issues which the social networking platform considers out-of-bounds, however. For instance, researchers who report on social engineering techniques, content injection or denial-of-service (DoS) attacks won’t be eligible for a bounty.

Under its VRP, Facebook has agreed to pay a minimum of $500 for a responsibly disclosed vulnerability, though some low-severity flaws won’t qualify a researcher for a bounty. Participating bounty hunters may decide to donate their bounties to (Read more...)