After online rumours started whirling about hacks related to Houseparty, the video-based social network offered $1 million to someone who could prove that the rumours were actually 8220;spread by a paid commercial smear campaign to harm Houseparty8221;.
Even though this story has been dominating tech headlines, offering a huge bounty isn8217;t that unusual a move for a big tech company. However, it8217;s more common for them to be offered to people who can prove that the company8217;s products have a significant security flaw.
In brief, a bug bounty is a way for tech companies to reward individuals who point out flaws in their products. Usually, the bounties relate to security issues, and companies often set up special portals where you can submit bug reports.
It8217;s a way of rewarding a researcher for finding a problem that8217;s been overlooked by an in-house team. But if no-one8217;s able to hack into your product, it8217;s also a sly way for companies to boast about the security of their products.
There are various restrictions in place about what they8217;ll pay out for, depending on the company. We8217;ve outlined the basics from individual companies below, but broadly speaking the bug needs to relate to a current product, not have been previously discovered, and (crucially) only be disclosed to the company directly.
Microsoft bug bounty
Microsoft8217;s top offer is $300,000 for vulnerability reports on Microsoft Azure cloud services. The company will also shell out $100,000 if you find vulnerabilities in its Identity services and up to $250,000 for security issues found in Microsoft Hyper V.
Vulnerabilities found in other Microsoft services will typically net you between $15,000-$30,000. Security issues found on Xbox can earn you $20,000, while problems encountered on the Chromium-based version of Microsoft Edge can earn you up to $30,000.
Apple bug bounty
Apple has one of the heftiest bug bounty offers around. The company will give you a cool $1 million if you manage to find a vulnerability that allows someone to hack into a network without any user interaction. In the company8217;s own words, this has to be a 8220;zero-click kernel code execution with persistence and kernel PAC bypass8221;.
The smallest payout listed on Apple8217;s current site is $100,000, which it will shell out if you manage to find vulnerabilities in the iCloud, bypass a lock screen, or find a way to access sensitive data without authorisation via an installed app.
For vulnerabilities found in Google-owned web properties, rewards range from $100-$5000. Payouts for Chrome vulnerabilities are a bit larger, ranging from $500-$30,000, while security issues found on Google Play will be rewarded to the tune of $500-$20,000.
But the real money is found in the bug bounty for Android on Pixel products. This program pays up to $1 million, depending on the exploit discovered. Top dollar is paid out for anyone able to hack into the Pixel Titan M chip.
In addition to the above, there are a couple of grants available via Google. These are for already-established vulnerability researchers and range from $1337 up to $3133. There are also payments available of up to $20,000 for proposed patches on certain open source projects.
Facebook has no upper limit on what it will pay out on bug bounties, but instead has a vulnerability calculation that takes into account 8220;impact, ease of exploitation and quality of the report.8221;
HackerOne is a mix between platform and collective. It provides a portal for big tech companies and hackers, allowing the former to advertise what monetary rewards it can offer and the latter to submit vulnerability reports.
It also hosts something called the Internet Bug Bounty, which will pay out if you manage to find a security flaw in software that supports the internet stack. For example, finding an issue with the popular Python programming language could earn you $500 in pocket money.