7 Huge Bug Bounty Payouts

The first tech companies to offer bug bounties—where payment is offered to hackers who find vulnerabilities in the code—were web browser makers; Netscape kicked things off in 1995 and Mozilla did the same in 2004.

The goal is to get hackers to tell an at-risk company about a bug before the exploit becomes publicly known. It's a win-win for the hackers and the businesses—why block the bad guys when the more mercenary hackers can help shore up security?

In recent years, bug hunting has became big business with players like Google, Facebook, Yahoo, and Microsoft all offering up large sums. Plenty of others—like Tesla, Yelp, Reddit, Square, 1Password, Pinterest, and Uber—have since joined the party, but bug bounties aren't limited to tech companies. Finance, healthcare, and government entities offer bounties because they're desperate to stay ahead of the next major breach.

Bug bounties have become so commonplace that third-party brokers like Bugcrowd and HackerOne exist to connect hackers with bounty money. As detailed in HackerOne's 2018 Hacker Report, the company has paid out over $23 million to the 166,000 hackers in its network alone, who have fixed over 72,000 vulnerabilities. That's a lot of good work—for a lot less money than a true hack can cost a company in money and reputation.

The number of registered users in the HackerOne community alone has exploded tenfold, according to the report.

Naturally, there are also some negatives. Exodus Intelligence, for example, offers higher bounties than the big companies. It then sells a subscription to companies that includes that bug info. That isn't necessarily bad—finding vulnerabilities is important. But as Sophos' Lisa Vaas notes, "exploit brokers' customers could be on the side of the good guys—say, antivirus vendors who want to protect people from newly discovered holes—or that they could be on the offensive, interested in using undisclosed exploits to target systems themselves."

Below, take a look at a few of the biggest payouts yet in the bountiful field of bug bounties. If you know about some bigger bounties, let us know in the comments.

Oath/Verizon Media

In April 2018, the organization previously known as Oath Inc. shelled out $400,000 to 40 participants in HackerOne's live hacking H1-415 event. Oath/Verizon Media, which owns Yahoo and AOL, later doled out another $400K at a separate event in November 2018 to hackers who identified 159 critical security vulnerabilities.

After the success of these bug bounty events, the company created a consolidated bug bounty program, which paid out $5 million in 2018 to hackers and researchers who found bugs of various threat levels across multiple platforms. (Photo by Noam Galai/Getty Images for Verizon Media)

Microsoft

Microsoft reached a milestone last year with $2 million in bug bounty payouts, after which it stopped releasing information about individual bounties besides the amounts and case severity. But the largest bounty awarded to a single person that we know of is Vasilis Pappas, who received $200,000 in 2012 when he was a Columbia University PhD student. Pappas submitted solutions for a Return-Oriented Programming problem that hackers used to get around security controls, and created kBouncer, a program that mitigates anything that looks like ROP.

Google

Google's Vulnerability Rewards Program dates back to 2010. It has since paid out more than $15 million, $3.4 million of which was awarded in 2018 (and $1.7 million of which focused on bugs in Android and Chrome). The largest single payout last year was a bounty of $41,000 to an unspecified researcher. Of the bounties that are public, 19-year-old Ezequiel Pereira from Uruguay received $36,000 for discovering a Remote Code Execution bug in Google's Cloud Platform console.

HackerOne Millionaire

As if Pereira's story isn't enough, we have to mention another 19-year-old South American who is killing the bug bounty game: Argentina's Santiago Lopez, the first person to top $1 million in earnings on HackerOne's platform. The self-taught hacker says he got his start by watching YouTube videos and reading blogs on his own, but the thing that jumpstarted his interest in hacking? What else? The 1995 movie Hackers. (Photo by United Artists/Getty Images)

Facebook

For a company that's experienced a few security lapses over the years, it's not entirely surprising that Facebook would be eager to locate and address loopholes and exploits in its code. The social network's bug bounty program has paid out $7.5 million since its inception in 2011. Facebook's previous record of highest single payout went to Andrew Leonov, a Russian security researcher who was awarded $40,000 for discovering a security flaw in a third-party security software that could affect Facebook itself. The new record payout happened last year—a cool $50,000 to one person.

US Department of Defense

For one month in 2016, the DoD under the Obama administration literally said: "Hack the Pentagon!" Two-hundred and fifty hackers went after bugs in the agency's systems, and found 138 vulnerabilities worth closing up. The total payout to hackers was $150,000—which then Secretary of Defense Ashton Carter said was about $850,000 less than it would have cost to get a professional security audit.

In 2018, the Defense Department expanded the hackathon to a slew of new programs hosted by HackerOne, which targeted government systems owned by the Army, Air Force, Marines, and the Defense Travel System. They awarded a combined $500,000 to hackers who discovered about 5,000 unique vulnerabilities across government databases and websites.

United Airlines: 1 Million Miles

United Airlines doesn’t give out cash, but it will you give you free miles. Lots of them. A number of researchers were awarded flyer miles last year, including Olivier Beg, a 19-year-old security researcher from the Netherlands who received 1 million miles for finding around 20 different bugs in the airline's systems. (Photo by Nicolas Economou/NurPhoto via Getty Images)