Categories: Security

Adding Web Applications to the Security Bug Bounty Program

Many people are not aware that we have paid a bounty in the past on web application security vulnerabilities which impact client security. We have only paid on critical or extraordinary web application vulnerabilities which have a direct impact against the client. We are now going to include critical and high severity web application vulnerabilities on selected sites.  We are giving a range starting at $500 (US) for high severity and, in some cases, may pay up to $3000 (US) for extraordinary or critical vulnerabilities.

We want to encourage the discovery of security issues within our web applications with the goal of keeping our users safe. We also want to reward security researchers for their efforts with the hope of furthering constructive security research.

This new policy will go into effect starting December 15th, 2010 PST, and any new web application bugs will fall under this new policy. It is important to note that nothing else has changed with the original security bounty program and the updated amount which was announced back in July.

The Web Security Bounty FAQ includes which types of vulnerabilities will be considered and which sites will be considered to be apart of the Web Application Bounty Program.

The full text of the security bounty program:

Chris Lyon
Director of Infrastructure Security

6 comments on “Adding Web Applications to the Security Bug Bounty Program”

  1. Neal Poole wrote on

    The FAQ says “Since our code is opensource, you are encourage to run on the software on your own server instance or just look at the source code for potential issues.”

    Where can we find the source for these applications?

  2. Wladimir Palant wrote on

    Nice! Too bad my past bug reports aren’t eligible 🙂

    @Neal: is currently using two codebases: – old PHP-based code – new Pythong-based rewrite

    Most other sites are also there in SVN, e.g. under

  3. reed wrote on

    @Neal: It varies… Some are in, while others are in or even If you have a specific application you want a direct link to the source code for, let me know.

  4. Neal Poole wrote on

    Sweet, thanks for the links! That’ll be very helpful. 🙂

  5. güvenlik şirkerleri wrote on

    good! ı like mozilla this cause

  6. Semi-Crank wrote on

    the names of the actors posting here seem to change often. not that i care much, but IMHO currently your most valued professional seems to have “a4” in the name. lol.