10 Essential Bug Bounty Programs of 2017 (1)

In 2015, The State of Security published a list of 11 essential bug bounty frameworks. Numerous organizations and even some government entities have launched their own vulnerability reward programs (VRPs) since then. With that in mind, I think it’s time for an updated list.

Here are 10 essential bug bounty programs for 2017.

1. Apple
   Website: Invite-only

Minimum Payout: No predetermined amount

Maximum Payout: $200,000

First launched in September 2016, Apple’s bug bounty program originally welcomed just two dozen security researchers who had previously reported vulnerabilities in the tech giant’s software. The framework has presumably expanded since then to include additional bug bounty hunters. But without a public website, it’s difficult to ascertain any details about the program, including which participating ethical hackers have claimed bounties. (A report published by Motherboard casts doubt on whether any researchers have reported flaws to Apple since the launch of its program.)

Ivan Krstic of Apple Security Engineering and Architecture group announced the bug bounty program at Black Hat USA 2016. According to him, his employer is willing to pay $25,000 for flaws that could allow an actor to gain access from a sandboxed process to user data outside of that sandbox. Meanwhile, it’s ready to hand over $100,000 to those who can extract data protected by Apple’s Secure Enclave technology. The highest bounty comes in at $200,000 for security issues affecting its firmware.