white hat: 2015 vulnerability reward plan

Posted by deaguero at 2020-02-26

White hat: 2015 vulnerability reward plan

Thursday, February 26, 2015

With the frequent occurrence of cyberspace crimes and major intrusions, the importance of finding application layer vulnerabilities has become increasingly prominent. In the development phase, developers and enterprises will constantly check the code to improve the soundness. However, applications that are completely free of vulnerabilities do not exist. Therefore, external review mechanism is just needed.

Vulnerability reward is also called vulnerability reward. This mechanism can bring together white hat hackers, security researchers and security enthusiasts from all over the world to jointly exploit vulnerabilities for enterprise products or services. The following is the most noteworthy vulnerability reward plan in 2015 organized by safe cow:

1. Battle hack 2015

Platform language: C + +, JavaScript or node.js

Reward amount: US $100000 (first prize), Xbox one (second prize), adafruit ardx (third prize)

"Battle hacker" is the most attractive loophole award competition of the year, which will be held in 10 metropolises around the world. The event is sponsored by technology giants such as PayPal, twitter and Braintree. First prize winners will receive a $100000 prize and the title of "ultimate hacker.".

PayPal emphasizes providing a central stage for developers all over the world and providing additional benefits for participants. It includes food, beer and tea breaks, and even sleeping in cubicles. Most importantly, the participants in the fight can retain ownership of any software they develop.

2. White hat plan

Platform language: C + +, PHP, D, Java, python (server); JavaScript (client)

Bonus amount: minimum $500, no ceiling

Researchers and white hats have always been favoured by the world's largest social media platform. Facebook, with hundreds of millions of users' personal information and media files, has always been the source of huge profits in the eyes of malicious hackers. In order to effectively prevent intrusions, Facebook rewards individuals who discover and submit security issues. In 2014, Facebook issued a total of $1.3 million in vulnerability rewards.

Facebook has a special vulnerability reward team to handle the content submitted by users. Researchers just need to submit the vulnerability and wait for the response of the vulnerability reward team. The minimum reward is $500 and there is no ceiling. The amount of bonus is determined by the severity of the vulnerabilities, which will be shown on Facebook's Bug bounty page.

3. Google vulnerability incentive program (VRP)

Platform languages: C + +, Java, python, go (server); JavaScript, flash (client)

Reward amount: minimum $100, maximum $20000.

Google is the most dominant Internet company on the Internet today. It has evolved from a simple search engine to a complex of various media. Its tentacles cover every home and every mobile device. This unprecedented scale also creates its ubiquitous security risks.

Google's most concerned types of vulnerabilities are SQL injection, cross site scripting, Cross Site Request Forgery and remote code execution. The researchers who find these loopholes will be fully recognized by the Google security team and enter the Google Hall of fame. In 2014, Google issued a total of $1.5 million in vulnerability rewards.

4. Yahoo loophole reward plan

Platform language: Javascript, PHP (server); JavaScript (client)

Reward amount: minimum $100, maximum $20000

Like Facebook, Yahoo has its own security team dealing with white hat hackers and security researchers submitting vulnerability reports. The submitted vulnerability needs to be related to Yahoo's and Flickr's applications. At present, the minimum reward that has been issued is $50, and the maximum is $15000.

The response time of Yahoo's security team to legal vulnerability submission is 30 working days. The vulnerability types include SQL injection, cross site scripting, cross site request forgery, directory traversal, remote code execution, information disclosure and content spoofing.

5. Mozilla vulnerability reward

Platform language: C + +, JavaScript, C, CSS, XUL, XBL

Reward amount: minimum $500, maximum $3000

Mozilla, the owner of the world's most popular Firefox browser, has also implemented a vulnerability reward program. The scope of bonus payment is basically Mozilla's products, such as Firefox, Thunderbird and other related applications and services. Third party plug-ins and extensions are not included in the reward plan.

6. WordPress security vulnerability reward program

Platform language: PHP, MySQL

Bonus amount: minimum $100, maximum $1000

Due to its friendly functions and flexible customization ability, WordPress has become one of the most popular content management systems in the world in recent years. However, the use of a large number of third-party plug-ins also makes it a highly security risk platform, especially when many websites do not update the official patches in time.

WordPress's security vulnerability rewards range from $100 for minor vulnerabilities to $1000 for serious vulnerabilities. Not only that, WordPress also offers bonuses of $125 to $250 for vulnerability reporting for third-party plug-ins.

7. Chromium plan

Platform language: C++

Bonus line: minimum $500, maximum $15000

The chrome rewards program, which began in January 2010, pays bonuses based on the severity of the vulnerability and the public's acceptance of the work of white hat hackers. Of course, the vulnerability needs to be related to Chrome browser or chrome operating system.

Bonuses range from $500 to $15000, while encouraging research and Analysis on Windows 8 and above, Windows XP and Vista, although the bonus may be a little less.

8. Samsung smart TV security reward plan

Platform language: tizen, Android

Bonus line: minimum $500, maximum $3000

As the world's leading Internet of things TV manufacturer, Samsung's products also need constant security detection to reduce the risk of malicious hackers. In addition to the bonus, Samsung has set up a hall of fame for researchers who submit loopholes to cultivate a new culture of loophole mining.

9. Avast vulnerability reward program

Platform language: C++

Bonus amount: US $400-10000

Avast is a well-known anti-virus manufacturer in the industry, but even so, their products cannot be "all poisons are inviolable".

Remote code execution is defined as the most serious vulnerability type by avast, and can get 10000 dollars or more reward. In addition, avast encourages researchers to find a way to crash avastsvc.exe process by using DOS attack. In particular, the avast loophole reward program does not accept loophole submissions from countries such as Iran, Syria, Cuba, North Korea and Sudan.

10. Microsoft - Online Service Vulnerability reward program

Platform language:

Bonus limit: minimum $500

Microsoft's latest vulnerability reward program, officially launched on September 23, 2014, is only for online services. The domain names of these online services include, etc.

Vulnerability types include XSS / CSRF, privilege injection and authentication vulnerabilities. Microsoft has so far awarded $300000 in bonuses.

11. GitHub security vulnerability reward

Platform language: Ruby

Bonus limit: minimum $100, maximum $5000

GitHub is the world's largest community of code hosting services. Currently, it has 3.4 million users and 16 million code entries. So it's no surprise that GitHub has launched its vulnerability reward program.

12. Alibaba Group vulnerability reward plan

Platform languages: PHP, Python, JAVA, Javascript, C++

Bonus amount: up to 100000 yuan

Alibaba Group has been committed to building an e-commerce industry ecosystem of integrity, win-win and prosperity, in which security is the core element of its healthy growth. Therefore, Alibaba Group has set up the security emergency response center (ASRC) to cooperate with domestic and foreign security experts to build Alibaba ecological security, so as to ensure the security of hundreds of millions of Alibaba group users.

ASRC will give back to all white hat security experts through the "vulnerability Award Program". In addition to the regular exchange of bonus points and gifts, Alibaba security 5 million cash reward plan was first launched at the beginning of 2014, with a maximum reward of 100 thousand yuan in cash.

13. Baidu (BSRC)

Platform language: C + +, PHP, python, Java, JavaScript

Baidu's vulnerability response platform (BSRC) improves its own security construction through the strength of the community, obtains more timely and comprehensive security information through active communication with the outside world, and makes up for the omissions in its own security construction, so as to better improve its security capability.

At present, the platform comprehensively scores the vulnerability according to the type of vulnerability and the impact caused, and irregularly carries out multiple points reward for white hat. In addition, BSRC plans to hold several security salons focusing on a security field in 2015.

14. Jingdong (jsrc)

Platform language: C + +, PHP, python, Java, JavaScript

Bonus amount: up to 30000 yuan

Since 2014, Jingdong security emergency response center platform (jsrc) has stationed more than 100 white hat security experts and received more than 300 high-quality vulnerabilities. In January 2015, the company launched a quadruple point reward activity and established a friendly cooperative relationship with security enthusiasts.

Wang Xiao Rui

The author of financial and it articles, the translator of the famous social engineering work "the art of deception", the long-time writer of financial circle magazine, and the editor in chief of China computer security net and Guangguang net.