All news with #bug bounty tag

🔒 GitHub is shifting low-impact bug bounty payouts from cash to swag and asking researchers to stop submitting low-quality or out-of-scope reports. The company says a sharp rise in submissions—exacerbated by generative AI tools—has produced many reports that don’t show meaningful security impact. GitHub welcomes AI-assisted research but requires human validation of AI-generated findings and will exclude certain report types from rewards. The change aims to speed triage and prioritize substantive vulnerabilities.

🔒Google has increased maximum payouts for its vulnerability reward programs, raising the top prize to $1.5 million. The new maximum applies to critical issues impacting Android, with reports indicating the full amount requires compromising the Pixel Titan M2 security chip. Rewards for vulnerabilities in Chrome now top out at $250,000. Since launching its programs in 2010, Google has paid $81.6 million to researchers.

🔐Google updated its Android and Chrome vulnerability rewards, increasing top-tier payouts for the most difficult exploits while lowering awards for issues AI has made easier to find. The highest Android prize is $1.5 million for zero-click, full-chain persistent exploits against a Pixel Titan M2 security chip, with $750,000 for non-persistent variants. For Chrome, full-chain browser process exploits pay up to $250,000 plus a $250,128 bonus for exploiting MiraclePtr-protected allocations; Google also narrows Android scope to Linux kernel bugs in Google-maintained components unless concrete device exploitability is shown.

🛡️ Microsoft awarded $2.3 million to security researchers after receiving nearly 700 submissions during this year’s Zero Day Quest hacking contest, compensating teams for high‑impact cloud and AI vulnerabilities uncovered at the live event. Participants from more than 20 countries tested within authorized environments under Microsoft’s Rules of Engagement and demonstrated issues such as credential exposure, SSRF chains, and cross‑tenant access without accessing customer data. The contest is part of the Secure Future Initiative, and Microsoft said findings will be shared through the CVE program to strengthen cloud and AI security.

🛑 The Internet Bug Bounty program, administered by HackerOne and backed by multiple major software companies, has paused submissions and payouts while it reassesses how best to support open source security. HackerOne said the rise of AI-assisted vulnerability discovery has increased both coverage and speed, shifting the balance between new findings and remediation capacity. Projects such as Node.js will continue to accept and triage reports via HackerOne but may not issue rewards from the paused fund. Similar changes have hit other programs, including curl and recent restrictions at Google's open source rewards effort.

🛡️ In 2025 Google’s Vulnerability Reward Program (VRP) celebrated its 15th anniversary and awarded over $17 million to more than 700 researchers worldwide — a 40%+ increase versus 2024. The year introduced a standalone AI VRP, extended Chrome rewards for AI features, and launched a patch rewards program for OSV-SCALIBR. Multiple bugSWAT events and the ESCAL8 conference generated hundreds of reports and significant payouts. Google reaffirms its commitment to collaboration, transparency, and continued events in 2026.

🛡️ OpenAI has launched a new Safety Bug Bounty, hosted on Bugcrowd, to solicit researcher reports of AI abuse and safety risks across its products. Announced March 26, it complements the existing Security Bug Bounty and targets issues like agentic risks (MCP abuse, prompt injection, data exfiltration), account integrity violations, and proprietary-information exposures. OpenAI clarified scope limits, excludes low-impact jailbreaks, runs private campaigns for certain harms, and will triage submissions between safety and security programs.

💰 Google paid $17.1 million to 747 security researchers in 2025 through its Vulnerability Reward Program, an all-time annual high and more than a 40% increase over 2024. The company said it has awarded over $81.6 million in bounties since 2010, with the top single reward reaching $250,000. In 2025 Google launched an AI Vulnerability Rewards Program, added AI-focused categories to the Chrome VRP, and introduced a rewards track for OSV-SCALIBR. Program-specific payouts included Android & Google Devices (~$2.9M), Chrome (~$3.72M), and Cloud (~$3.57M).

🔒 The curl project will end its HackerOne bug bounty program after being overwhelmed by a surge of low-quality, apparently AI-generated vulnerability reports that strained the small security team and harmed maintainers' wellbeing. Founder Daniel Stenberg said the torrent of AI slop submissions created a high triage burden. The project will accept HackerOne reports through January 31, 2026, then move to direct reporting via GitHub with no monetary rewards.

🚗 On the second day of Pwn2Own Automotive 2026, security researchers earned $439,250 after exploiting 29 unique zero-day vulnerabilities in EV chargers, in-vehicle infotainment systems, and automotive operating systems. Contestants targeted fully patched devices such as the Phoenix Contact CHARX SEC-3150, ChargePoint Home Flex, and the Grizzl-E Smart 40A charging station. Fuzzware.io led the leaderboard after two days, and organizers confirmed vendors have 90 days to issue fixes before public disclosure by the Zero Day Initiative.

🛑 Curl has ended paid rewards in its bug bounty program after a surge of low-quality, AI-generated vulnerability reports overwhelmed the project's triage resources. Chief administrator Daniel Stenberg said the volume of "AI slop" and generally poor reports left maintainers unable to keep up. Over the years Curl paid $101,020 in bounties, and the project joins other vendors reassessing programs as automated tooling reshapes vulnerability disclosure.

🛡️ Microsoft unveiled a new security policy, In Scope by Default, at Black Hat Europe to expand its bug-bounty coverage to any critical vulnerabilities that demonstrably affect its online services. The program covers Microsoft-managed code as well as third-party and open source components when no existing bounty exists. Researchers submit reports via Microsoft’s coordinated disclosure platform under defined rules that permit broad red-team testing while prohibiting credential access, phishing, and excessive DoS.

🔒 Microsoft has shifted to 'In Scope by Default', making any critical vulnerability with a demonstrable impact on its online services—whether in Microsoft-owned code, third-party components, or open-source—eligible for bounty awards. Announced at Black Hat Europe, the policy expands eligibility across Microsoft domains and cloud services and invites coordinated disclosure under agreed rules of engagement. The company says the change aims to incentivize research on the highest-risk areas, while established Rules of Engagement prohibit credential misuse, phishing, disruptive DoS testing, and other harmful methods.

🔒 Microsoft will now pay bounties for critical vulnerabilities that directly impact any of its online services, whether the flawed code is Microsoft-owned, third-party, or open source. Announced by Tom Gallagher at Black Hat Europe, the change makes all current and newly launched Microsoft online services in-scope by default. The move aims to steer researcher attention to high-risk areas and accelerate remediation. Microsoft said it paid over $17 million to security researchers in the past year.

🔒 Governments in the UK and Portugal have introduced proposals and legislation to provide legal protection for computer security researchers, recognizing that outdated laws can deter responsible vulnerability testing. UK security minister Dan Jarvis proposed amending the 1990 Computer Misuse Act to create a statutory defense for good-faith research that meets defined safeguards. Portugal's new law similarly shields researchers who do not seek financial advantage and who respect data protection rules, aligning with measures already adopted in the Netherlands, France, and Belgium.

🔒 Portugal has amended its cybercrime law to exempt cybersecurity researchers and ethical hackers from prosecution, with the change published in the Diário da República on 4 December. The amendment, titled “Acts not punishable due to public interest in cybersecurity,” creates a legal exception for good-faith vulnerability research provided strict conditions are met. Researchers must avoid economic gain, refrain from DoS, social engineering, phishing and data theft, report findings to the system owner and the data protection regulator, and delete sensitive data within 10 days of a fix.

🛡️ Portugal amended its cybercrime law to create a clear safe harbor for good-faith security research under new Article 8.o-A. The change exempts certain acts that would previously be illegal if performed solely to identify and responsibly disclose vulnerabilities, provided strict conditions are met: immediate notification to the system owner and the CNCS, no excessive financial gain, non-disruptive techniques, GDPR compliance, and deletion of obtained data within ten days of remediation. Tests carried out with owner consent are also covered but still require CNCS notification.

🛡️ Meta has provided selected long‑time bug bounty researchers with a new tool, WhatsApp Research Proxy, to streamline analysis of WhatsApp's network protocol and reduce barriers to in‑depth research. The company is also running a pilot that invites research teams to focus on platform abuse with internal engineering and tooling support. Meta said it has paid more than $25 million to over 1,400 researchers in 15 years and recently added anti‑scraping protections after a study showed an account‑enumeration technique able to map billions of users.

🛡️ Fortinet and Crime Stoppers International (CSI) have launched the Cybercrime Bounty program, a global initiative enabling secure, anonymous reporting of cybercriminal activity. Validated reports will feed Fortinet’s threat intelligence to support law enforcement investigations and potential prosecutions. The program scales deterrence by combining community-sourced tips with expert analysis, building on decades of Fortinet collaboration with INTERPOL and other public-private partners.

🔒 Bug bounty programs remain a core component of security testing in 2025, drawing external researchers to identify flaws across web, mobile, AI, and critical infrastructure. Leading platforms like Bugcrowd, HackerOne, Synack and vendors such as Apple, Google, Microsoft and OpenAI have broadened scopes and increased payouts. Firms now reward full exploit chains and emphasize human-led reconnaissance over purely automated scanning. Programs also support regulatory compliance in critical sectors.