Bug bounty programs in my opinion, are a great thing. Not only do they encourage responsible vulnerability disclosure. They also provide the incentive for a company to keep active about their security. If you can implement a bug fix within a short time period, or improve your response time, you are greatly reducing the overall risk your company faces from attack both in short and in the long term. The programs can also of course benefit a company/site in other ways, as bug-finders generally would like to announce the bugs they found or the rewards the received, this in itself is providing free promotion or brand awareness!
You can find a list of already active bug bounties on These are a company that provide and run bug bounty services for other companies. A truely great idea! As a security interested individual who would like to practice their skills or fine-tune them, this provides a great opportunity to learn how to bug-hunt. The prize or reward also provides a good incentive for the effort. Breaking into the security industry isn't easy, hopefully finding a bug on a well tested, well recognized site, will help individuals find their way in.
So, how did I find my first bug bounty? Coinbase.com were recently added to the list of companies offering bounties for the bugs you find. The guidelines of their bug bounty program is here at Coinbase.com/whitehat. I hadn't previouly tried any of the bug bounties listed (aside from poking around facebook) so I thought I'd chance my arm at a newer one, since there would more than likely be more bugs since the application is in earlier days of progress.
The first thing I decided to do was have a browse through the source of the site, I'm always amazed at some of the obvious things you find in there. I opened up a javascript file that was there and began searching for strings like "location", "hash" and ".swf". I tried a few different things, then I came across the the swf file ZeroClipboard.swf. This immediately caught my eye as I was certain I'd seen it mentioned before, linked with an xss vulnerability. I went to google and found the following . I then tried the initial string and was disappointed there was no popup ;_;. Being curious I also tried the ZeroClipboard10.swf. RESULT!
I immediately emailed them. Later in the evening I received a confirmation that my bug was accepted and that I was the first to find it! Not bad for a few minutes work. I then checked my account to find my 5 Bitcoins. My first experience with a bug bounty was a good one, All I can do now is hope to find some more in my free time :D
