changehero Blog

Bug Bounty Programs: How Do They Work? How Are They Helpful? How To Take Part?
Author: changehero
icon of calendar

A popular way to gain experience and earn money in the security community is ethical hacking. Volunteers help sites and companies fund security bugs in their software and receive compensation in return. You can even help ChangeHero fix vulnerabilities, too! Read on if you would like to learn more about our bug bounty program and why we have it.

What Are Bounty Programs?

A bug or security bounty is an offer from a software company or a similar business for “white hat” ethical hackers and security researchers. In exchange for a detailed report on various vulnerabilities, they reward security researchers depending on the severity of the exploits. Major tech companies such as Microsoft and Apple collaborate with external security researchers and bug bounty hunters to identify security issues.

How Does Bug Bounty Work?

Bug bounties are usually launched as programs that outline the conditions for participation and reimbursement. It is a best practice to provide security researchers with clear guidelines and rules for vulnerability submissions. These documents usually contain conditions for participation, reward information, and contact information or instructions for submitting a report. After all, for hacking to be ethical, some rules have to be in place, and this applies to the bounty poster as well.

The main reason “white hat hackers” enter these kinds of partnerships with companies is the reward. Beginner security researchers also find bounties convenient as both practice grounds and a revenue source. The more critical vulnerability is, the more can be expected of the reward since a proper report will save the software manufacturer from potential losses that can far exceed a single payout.

Let’s check some published bounties to give you an idea. Alibaba provides a minimum of $50 for each reported bug and vulnerability of minor magnitude and will cash out up to $3,250 for a critical bug that can affect buyers, sellers and/or shops. Amazon Vulnerability Research Program rewards researchers with $150 for a minor issue and up to $20,000 maximum.

Responsible Conduct

Bug bounty programs accept only good faith effort, meaning that malicious hackers are explicitly excluded. However, this is not the only thing to know before participating. The most common eligibility criteria include:

Bug Bounty Program on ChangeHero

Due to popular demand, ChangeHero is excited to reintroduce a bug bounty program for security experts. We invite you to help us identify bugs and vulnerabilities and will reward you if it helps us deliver a more secure product.

The full bug bounty program terms are available on the website but the gist is

ChangeHero has already had volunteers help us with security research. In a recent case, we have been approached by an anonymous researcher Mochi101 who helped us identify a possible attack vector. They have been compensated for their vigilance and effort in Bitcoin.

Reporting Security Vulnerabilities

So, do you feel up to the challenge? To submit a security bug to ChangeHero,

  1. Search for security vulnerabilities in the scope of the bug bounty program;
  2. Prepare a vulnerability report with respect to the eligibility criteria;
  3. Send it to ChangeHero support through the available contact channels — email or the chat widget on the website;
  4. Wait for a submission acknowledgment and a review from our security team.

Let’s work together: we eliminate security bugs and improve ChangeHero, and you receive rewards!

Drop Us A Line

We will be looking forward to your response, and don’t forget to share the news! Your feedback on the bug bounty program is also very welcome. Start with the ChangeHero website and get in touch with the Support team. Good luck!