11 top bug bounty programs launched in 2024

Bug bounty programs remain a crucial component of cybersecurity strategies in 2024, offering organisations the ability to draw in help from a diverse pool of cybersecurity professionals and researchers. The schemes offer continuous testing against emerging threats.

What are bug bounty programs?

Bug bounty programs are structured systems for individuals to identify and report security vulnerabilities and other bugs. They are offered by organisations, websites, and software developers. These programs are designed to leverage the skills of ethical hackers to enhance the security of software and systems before malicious parties can exploit these vulnerabilities.

Participants, often referred to as bug bounty hunters, earn financial rewards or other forms of recognition for successfully reporting vulnerabilities in assets covered by bug bounty programs. Exploits achieved through social engineering trickery such as phishing are typically excluded.

Bug bounty programs focus in 2024

For ethical hackers, best practice for bug bounty hunting in 2024 involves thorough reconnaissance of a target organisation’s technology stack, rather than just running automated tools.

Leading bug bounty platforms such as Bugcrowd, HackerOne, Synack, YesWeHack and Intigriti offer rewards for identifying and reporting security vulnerabilities. Platforms connect ethical hackers with organizations, providing a structured framework for vulnerability disclosure and resolution — managing bug bounty rewards on behalf of their corporate clients.

Technology providers and government organizations run stand-alone bug bounty programs as part of a broader security testing strategy that also includes penetration tests.

Here are the notable programs launched in 2024:

Alphabet puts a higher bounty on bugs

Alphabet upped the rewards on offer through its bug bounty program to a maximum of $151,515 in July, recognising that as its systems become more mature it is getting harder to find bugs.

The value of the payout will reflect the quality of reports, with exceptional quality reports earning a 50% bonus on baseline payment. Conversely poor quality but valid vulnerability disclosures will only earn half the reward they might otherwise have earned.

For example, a logic flaw leading to a Gmail account takeover risk will earn $50,000 multiplied by a potential 1.5 quality multiplier to earn up to $75,000. The same bug would have earned only $13,337 before this year’s increase.

Google Web Services, its Chrome browser and Android and Google Devices are all within scope of elements of Google’s Vulnerability Reward Program (VRP).

Microsoft revamps long-running vulnerability disclosure scheme

Not to be outdone, Microsoft significantly increased its bug bounty payouts in the past year. Between 2020 and 2023, Microsoft paid out roughly $13 million annually through its bug bounty programs. However, in 2024, this amount increased to $16.6 million.

The rewards went to 343 security researchers from a total of 55 countries.

Cloud services including the Azure, Microsoft Identity, Edge, Windows and Office 365 are all covered by the program.

“As the security landscape and Microsoft’s attack surface evolves, so does the Microsoft Bounty Program,” Microsoft said in a blog post reviewing its bug bounty program. “Whether expanding scope to cover new Microsoft products and services or aligning research targets to protect against malicious actors and novel attack vectors, the Microsoft Bounty Program responds with program enhancements continuously.”

In April, Microsoft introduced a new bug bounty program specifically for AI, offering up to $15,000 for validated vulnerability reports involving its Copilot AI technology.

UK military arms itself to repel security threats

In February, the UK’s Ministry of Defence (MOD) announced that it was expanding defensive security initiative with HackerOne.

The original scope of the three-year-old program included vulnerability disclosure and bug bounty programs. The MOD has now broadened the scope of the vulnerability disclosure program (VDP) to include several of its key suppliers as part of a wider scheme to improve supply chain security and ultimately push them towards introducing their own vulnerability disclosure programs.

Cloud software-as-a-service collaboration platform provider Kahootz is an initial adopter of MOD’s supplier VDP program.

The UK scheme is inspired, at least in part, by the US’s Hack the Pentagon program.

Critical Backpack vulnerabilities pay up to $100,000

Those looking for more financial lucrative rewards should look for flaws in Backpack, an exchange that focuses on non-custodial wallet and browser extension. The bug bounty, also launched in July and hosted by Immunefi, offers rewards of up to $100,000 for confirmed vulnerabilities in Backpack’s web or API.

AI start-up Anthropic launches bug reporting scheme

Artificial intelligence startup Anthropic launched a vulnerability disclosure program (VDP), managed by HackerOne, in August with bounty rewards up to $15,000 for novel, universal jailbreak attacks that could expose vulnerabilities in critical, high-risk domains such as CBRN (chemical, biological, radiological, and nuclear) and cybersecurity.

A jailbreak attack in AI involves a method for circumventing an AI system’s built-in safety measures and ethical guidelines, allowing a user to elicit responses or behaviours from the AI system that would normally get blocked.

“As we work on developing the next generation of our AI safeguarding systems, we’re expanding our bug bounty program to introduce a new initiative focused on finding flaws in the mitigations we use to prevent misuse of our models,” Anthropic said in a blog post on the revamped program.

VDPs offer a structured system that makes it easier for security researchers to report bug without offering financial rewards. Over time, many organisations have graduated from VDPs towards fully fledged rewards-offering bug bounty programs.

Anthropic’s VDP covers its public-facing website and other digital assets including the Claude iOS app, claude.ai domain, internal apps and services, APIs and software development kits.

French government agency offers up to €5,000

The Direction Interministérielle du NUMérique (DINUM), the agency in charge of the French State’s digital transformation, is offering a bug bounty program through YesWeHack.

DINUM’s web applications and APIs are the primary targets of the scheme, which launched in February. The program welcomes reports of classic web application security vulnerabilities including SQL injection, cross-site scripting, cross-site request forgery and remote code execution.

Attacks that expose valid credentials on an in-scope asset stand to earn rewards of up to €5,000. Reports of leaks of sensitive information are outside the scope of the program.

Netflix entertains bug bounty reports

Netflix’s bug bounty program is designed to enhance the security of its products and services by crowdsourcing security vulnerability reports from the hacker community. The program, which became public in 2018, was originally hosted by Bugcrowd before moving to HackerOne.

The latest version of the program, launched in May, offers security researchers rewards of up to $25,000 for the most critical vulnerabilities. Its primary targets include the Netflix.com user experience.

High severity targets include methods of subverting content authorization or obtaining private keys. Netflix’s mobile apps for iOS and Android are also in scope.

Airbnb checks out vulnerabilities

Airbnb launched a revamped bug bounty program through HackerOne in May. Payouts of up to $25,000 are on offer for ethical hackers who discover flaws in Airbnb’s website or mobile apps.

A wide range of web application security vulnerabilities are eligible under the scheme from the online homestay marketplace.

Airbnb has paid out a total of $2.4 million in bounties through the scheme since it first launched in 2015. The vulnerability disclosure program has resolved 1,394 reports to date. Average bounties range from $500-$750.

Monzo banks on bug bounties

In July, British digital bank Monzo launched a public bug bounty program through Intigriti. The program offers payments for validated critical vulnerability finds of up to €12,500.

Technologies in scope include the bank’s website, APIs, internal tooling and mobile apps.

Grafana seeks hacker help in rooting out source code flaws

Grafana, an open-source platform for monitoring and observability, has also launched a bug bounty program via Intigriti. Reported critical and validated vulnerabilities can receive up to €15,000 through the scheme, launched in May.

The program is geared towards incentivising ethical hackers to uncover flaws in Grafana’s software.

Grafana Labs developed plugins not installed by default are accepted, but not eligible for a bounty.

Bluefin bug bounty pays up to $5,000

Bluefin launched a bug bounty program with Immunefi, the bug bounty and security services platform for Web3, in July.

The trade.bluefin.io website and associated assets are the primary focus of the program, which offers rewards of up to $5,000.

A wide range of web security vulnerabilities are in scope – including SQL injection, cross-sire request forgery as well as bugs that result in the leakage of sensitive information. Business logic issues and payment manipulation problems are also eligible for potential rewards.

[For a look at last year’s top announcements, see “12 notable bug bounty programs launched in 2023.”]