Sure Malware, viruses, spyware and security breaches can ruin your day, but they could also help you generate a little extra cash. If you play your card right, security problems can help you make a lot of extra cash.
You see, you may not be aware of it but many companies pay rewards or bounties to people who report security problems with their software. Not every company pays, but quite a few of them do. So next time you spot a security problem, note it and report it. You might make some extra money.
So who pays for reporting security breaches? Google, Mozilla and Facebook to name just a few. From the scuttlebutt on line, it looks like Google pays best.
This isn’t surprising but Google pays best for spotting security bugs in its products. If you spot a security glitch in any Google product including the Chrome Browser, Youtube, Google+, Google itself, Gmail, Blogger, Orkut or the Chrome OS, Google may pay you. The base reward at Google is $500 but they may pay up to $3,133.70.
Google also pays rewards for spotting security problems with Android, Picasa, Google Desktop and anything else owned by Google. Google wants to keep its users safe.
To report a Google security breach, send a detailed report and contact information to this e-mail address:
More information about Google’s bounty program is available here:
http://www.google.com/about/corporate/company/security.html
Mozilla Security Bug Bounty Program
If you find a new bug in a Mozilla product such as Firefox, it could be worth up to $3,000. In addition to cash, you get a Mozilla t-shirt so you can look like a real Geek. The rewards start at $500 and go up to $3,000.
mozilla foundation
Report Mozilla bugs using this application.
Get the low down-on the Mozilla Bug Bounty Program here:
http://www.mozilla.org/security/bug-bounty.html
Facebook is finally getting wise to the importance of this security thing. Maybe somebody hacked Mark Zuckerberg’s Facebook page. Anyway, they are offering a reward for reporting bugs. It’s only $500 but these days, $500 is big money to a lot of people. Some industry publications think this is small potatoes but $500 sounds good to me.
Facebook does want you to report any vulnerability you find it in. Note: That should take several hours given Facebook’s idea of security.
facebook security
The details of Facebook’s Security Bounty Program are available here:
https://www.facebook.com/whitehat/bounty/
Facebook is only looking for bugs that involve cross site scripting, cross site request forgery and remote code injection. Security breaches involving third party applications, denial of service vulnerabilities, Facebook’s corporate structure and Spam or Social engineering techniques are not eligible. So it’s obvious that Facebook’s idea of security is still pretty limited.
I guess Facebook will pay you $500 if you tell them that somebody has figured out how to get into your Friends list but they don’t care if hackers have figured out how to shut down the Social Network. I have a feeling this will change.
So Who Gives Security Bounties Anyway
Right now Google, Mozilla and Facebook seem to be the only outfits giving security bounties. Some major players including Microsoft, Oracle and Apple don’t do this. There are also some companies that pay a bounty for locating flaws in somebody else’s security.
It would be a good idea to watch the computer Web sites because this practice will probably spread. Google started it last year by offering a reward for those who found Chrome security flaws. Now, Mozilla and Facebook have jumped in.
The open source companies are more likely to do this because they are more vulnerable. Offering bounties is also cheaper than hiring outside security experts. Microsoft is likely to start offering some sort of bounty when Windows 8 is released because it will be an open source product.
Even if you don’t think a company offers a bounty, it would be a good idea to go to their Web site and find out how to contact their security if you find a security flaw. They may have started offering some sort of bounty recently and some of them may pay quietly.
Security Bounty Hunting Tips
There are some tips you can follow that can help you collect those security bounties. These include:
- Get as much as information as you can. Security analysts like to know everything about a threat. So put everything into your e-mail.
- Report it quickly. Most outfits pay only one bounty per security issue. That means the first person who reports it gets the cash. So report the issue as soon as you become aware of it.
- Report everything. Report any security issue you have, whether it’s a flaw, a virus, Malware, or hacking. Report it even if it does not match the company’s requirements. There’s a good chance they will bend the rules if you bring their attention to a real security threat they’re not aware of.
- Report it to more than one company. If you find a security problem on your Facebook (like that would happen) and trace it back to a Google application, report it to both Facebook and Google. That way you might get two rewards. If you find Malware on Facebook, report it to Google and Mozilla. They may want to know about it.
- Don’t be afraid to report it. Even if you have a poor understanding of what’s going on, report it. Security analysts like to know what’s going on and if you really help them, they may open their checkbooks.
Bounty Hunting is a Growing Business
One final thought: Seriously consider reporting any security flaws you find to other companies, including antivirus companies. These organizations want their security to be up-to-date, so they may pay you. Smaller companies like Avira and Cobra Antivirus could be more likely to pay because they have limited resources. Even if they don’t pay money, they have other rewards available like free copies of their software or t-shirts.
