Who discovers a vulnerability first can make a big difference to the outcome. If a hacker is the first to find something, it can be incredibly lucrative for them if they manage to exploit it for financial gain.

Knowing this, tech companies have taken Ford’s example and offered rewards to anybody who can help them solve problems.

Here are the five biggest paying programmes currently out there.

 

 

1. Apple

Apple announced at the Black Hat conference that it was launching a programme worth up to $200,000.

The programme is currently open only to researchers who have previously made valuable bug disclosures to Apple.

It will be invite-only for the time being but is expected to expand to other researchers in time.

The top rewards will be given for boot firmware components.

Flaws that could allow extraction of confidential information protected by the Secure Enclave could reward up to $100,000.

Eligibility is based on the quality of the report, including proof-of-concept, and the clarity of the report and the novelty of the problem.   

 

2. Facebook

Facebook’s programme, which covers all of its services including Instagram and Messenger, was launched on 29 July 2011.

As of February Facebook had paid out more than $4.3 million to researchers as part of its bug bounty programme. This covered over 2,400 valid submissions submitted by over 800 researchers around the world.

For the whole of 2015, the team classified 102 bug bounty submissions as high impact, an increase of 38 percent over 2014.

The largest single pay-out was to Reginaldo Silva, who was rewarded $33,500 for discovering an XML external entities vulnerability.

 

3. Microsoft

Microsoft launched its bug bounty programme in late 2013, and has paid out over $500,000.

The most lucrative categories are the Bounty for Defense, which allows security researchers to “submit a technical white paper to describe a defensive idea that could effectively block a mitigation bypass technique”, and the Mitigation Bypass Bounty.

Qualifying submissions will receive up to $100,000 USD, depending on the quality and uniqueness of the idea.

Meanwhile, the categories of Nano Server technical preview bounty program and Online Services can receive between $500 USD and $15,000 USD. Microsoft states that it could pay out more than this if the ideas are unique enough.

 

4. Exodus Intelligence

Exodus Intelligence, a Texas-based security firm, announced its programme mere days after Apple announced its first ever bug bounty programme.

Contributors of certain types of bugs or exploits could receive up to $500,000 as part of the Research Sponsorship Program (RSP).

The initial Zero-Day hitlist includes a maximum bounty of $500,000 for Apple iOS exploits and $125,000 for Microsoft Edge exploits.

Through Exodus’s website, registered users can view the Zero-Day and N-Day hitlists, which show the available bounties for each vulnerability type.

 

5. Google

Since Android does not have the same reputation for security as Apple due to its open architecture, it is in Google’s interests to find vulnerabilities in the operating system as quickly as possible.

The Android Security Rewards are the main public-facing inlet for these vulnerabilities.

Google specifies that the size of the reward depends on the severity of the vulnerability and the quality of the report.

The reward increases with the quality of the report, with proof of concepts, crash dumps, CTS tests and patches bolstering the value.

A critical vulnerability with a good report could pay up to $8000, while a poor report for a low-severity vulnerability could pay in the hundreds.

Google also pays larger amounts, into the tens of thousands, for functional exploits. $50,000 is the prize for an exploit or chain of exploits leading to TEE (TrustZone) or Verified Boot compromise from a remote or proximal attack vector.

Google adds that the final reward remains at the discretion of the reward panel.

Google also offers to donate the reward to charity, doubling it if this option is chosen.