Lista de Programas Bug Bounty (Ganando Dinero por reportar Vulnerabilidades)

Bug Bounty Program es un tema muy conocido que manejan las compañías conocidas como: Google, Facebook, Mozilla, etc, la cual se basa en realizar un pago considerable a los "Hackers" o "Security Research" por encontrar y reportar cualquier tipo de vulnerabilidad en sus servidores web, productos, servicios o algunas aplicaciones asociadas. 

Mayormente este programa los emplean las grandes empresas y sitios webs como también las empresas que desean mejorar su seguridad con el fin de brindar un mejor servicio a sus clientes, para tal caso listare la información respectiva que brindan las empresas con mas influencia en la red para reportar las vulnerabilidades que podamos encontrar al momento que estemos realizando nuestras auditorias.

BUG BOUNTY VULNERABILIDADES EN APLICACIONES WEB:

Mozilla

• security@mozilla.org 
• http://www.mozilla.org/security
• http://www.mozilla.org/projects/security/security-bugs-policy.html
• http://www.mozilla.org/security/announce

Google

• security@google.com 
• https://www.google.com/appserve/security-bugs/new?rl=xkp7zert49a5q6owod28bhr2

Facebook

• http://www.facebook.com/whitehat/bounty

Paypal

• sitesecurity@paypal.com 
• https://cms.paypal.com/cgi-bin/marketingweb?cmd=_render-content&content_ID=security/reporting_security_issues

Etsy

• http://www.etsy.com

Wordpress

• http://www.whitefirdesign.com/about/wordpress-security-bug-bounty-program.html

Commonsware

• http://commonsware.com/bounty.html

CCBill

• http://www.ccbill.com/developers/security/vulnerability-reward-program.php
• http://www.ccbill.com/developers/security/rewards.php 

Vark

• http://www.vark.com

Windthorstisd

• http://www.windthorstisd.net/BugReport.cfm

BUG BOUNTY VULNERABILIDADES EN PRODUCTOS:

Mozilla

• http://www.mozilla.org/security
• http://www.mozilla.org/security/known-vulnerabilities/firefox.html

Google Chrome

• http://www.chromium.org/Home/chromium-security/vulnerability-rewards-program

Zero Day Initiative

• http://www.zerodayinitiative.com

Barracuda

• bugbounty@barracuda.com
• http://www.barracudalabs.com/bugbounty
• http://www.barracudalabs.com/bugbounty/halloffame.html

Artifex Software

• http://www.ghostscript.com/Bug_bounty_program.html

Hex Rays

• http://www.hex-rays.com/bugbounty.shtml

Ardour

• http://ardour.org/bugbounty

Piwik

• http://piwik.org/security

HALL OF FAME (SALON DE LA FAMA):

Microsoft

• http://technet.microsoft.com/en-us/security/ff852094.aspx
• http://technet.microsoft.com/en-us/security/cc308589
• http://technet.microsoft.com/en-us/security/cc308575
• http://technet.microsoft.com/en-us/security/cc261624
• http://www.microsoft.com/security/msrc/default.aspx

Apple

• product-security@apple.com
• http://support.apple.com/kb/HT1318
• https://ssl.apple.com/support/security/ 

Adobe

• http://www.adobe.com/support/security/bulletins/securityacknowledgments.html
• http://www.adobe.com/support/security/alertus.html

IBM

• http://www-03.ibm.com/security/secure-engineering/report.html

Twitter

• https://twitter.com/about/security
• http://support.twitter.com/groups/33-report-abuse-or-policy-violations/topics/122-reporting-violations/articles/477159-how-to-report-xss-api-and-other-security-vulnerabilities#
• https://support.twitter.com/forms

Dropbox

• security@dropbox.com
• https://www.dropbox.com/security
• https://www.dropbox.com/special_thanks

Cisco

• http://tools.cisco.com/security/center/home.x#~alerts

Moodle

• http://moodle.org/security

Drupal

• http://drupal.org/security-team

Oracle

• http://www.oracle.com/us/support/assurance/reporting/index.html

Symantec

• http://www.symantec.com/security

Ebay

• http://pages.ebay.com/securitycenter/Researchers.html

Twilio

• http://www.twilio.com/blog/2012/03/reporting-security-vulnerabilities.html

37 Signals

• http://37signals.com/security-response

Salesforce

• http://www.salesforce.com/company/privacy/disclosure.jsp

Reddit

• http://code.reddit.com/wiki/help/whitehat

Github

• http://help.github.com/responsible-disclosure/

Ifixit

• http://www.ifixit.com/Info/responsible_disclosure

Constant Contact

• http://www.constantcontact.com/about-constant-contact/security/report-vulnerability.jsp

Zeggio

• http://www.zeggio.com

Simplify

• http://simplify-llc.com/simplify-security.html

Team Unify

• http://www.teamunify.com/__corp__/security.php

Skoodat

• http://www.skoodat.com/Security

Relaso

• http://relaso.com/disclosure

Moduscsr

• http://www.moduscsr.com/security_statement.php

Cloudnetz

• http://cloudnetz.com/Legal/vulnerability-testing-policy.html

Emptrust

• http://www.emptrust.com/Security.aspx

Apriva

• http://www.apriva.com/security

Amazon

• http://aws.amazon.com/security/vulnerability-reporting

SqaureUp

• https://squareup.com/security/levels

G-Sec

• http://www.g-sec.lu/responsible.disclosure.policy.html

Xen

• http://www.xen.org/projects/security_vulnerability_process.html

Engine Yard

• http://www.engineyard.com/legal/responsible-disclosure-policy

Lastpass

• https://lastpass.com/support_security.php

RedHat

• https://access.redhat.com/knowledge/articles/66234 

Acquia

• https://www.acquia.com/how-report-security-issue

Mahara

• security@mahara.org 
• https://wiki.mahara.org/index.php/Security 

Zynga

• security@zynga.com 
• http://company.zynga.com/security/whitehats 

Risk.io

• https://www.risk.io/security

Opera 

• http://www.opera.com/security/policy

Owncloud

• http://owncloud.org/security/policy
• http://owncloud.org/security/hall-of-fame

Scorpion Soft

• security@scorpionsoft.com
• http://www.scorpionsoft.com/company/disclosurepolicy

Norada 

• http://norada.com/norada/crm/security_response

Cpaperless 

• http://www.cpaperless.com/securitystatement.aspx

Wizehive 

• http://www.wizehive.com/security

Tuenti

• http://corporate.tuenti.com/en/dev/hall-of-fame

Nokia Siemens

• http://www.nokiasiemensnetworks.com/about-us/responsible-disclosure

Sound Cloud

• http://help.soundcloud.com/customer/portal/articles/439715-responsible-disclosure

Puppetlabs

• http://puppetlabs.com/security

Neohapsis

• http://www.neohapsis.com/disclosure.php

HTC

• http://www.htc.com/us/legal/product-security

Estas son las empresas que nos pueden considerar un pago por reportarles los fallos de seguridad que se encuentran en sus sitios webs y productos.

Les mostrare una vulnerabilidad (XSS) que encontre en Google Play la cual fue respectivamente reportada y aceptada.

Un saludo y hasta la proxima ;)