A popular way to gain experience and earn money in the security community is ethical hacking. Volunteers help sites and companies fund security bugs in their software and receive compensation in return. You can even help ChangeHero fix vulnerabilities, too! Read on if you would like to learn more about our bug bounty program and why we have it.
What Are Bounty Programs?
A bug or security bounty is an offer from a software company or a similar business for “white hat” ethical hackers and security researchers. In exchange for a detailed report on various vulnerabilities, they reward security researchers depending on the severity of the exploits. Major tech companies such as Microsoft and Apple collaborate with external security researchers and bug bounty hunters to identify security issues.
How Does Bug Bounty Work?
Bug bounties are usually launched as programs that outline the conditions for participation and reimbursement. It is a best practice to provide security researchers with clear guidelines and rules for vulnerability submissions. These documents usually contain conditions for participation, reward information, and contact information or instructions for submitting a report. After all, for hacking to be ethical, some rules have to be in place, and this applies to the bounty poster as well.
The main reason “white hat hackers” enter these kinds of partnerships with companies is the reward. Beginner security researchers also find bounties convenient as both practice grounds and a revenue source. The more critical vulnerability is, the more can be expected of the reward since a proper report will save the software manufacturer from potential losses that can far exceed a single payout.
Let’s check some published bounties to give you an idea. Alibaba provides a minimum of $50 for each reported bug and vulnerability of minor magnitude and will cash out up to $3,250 for a critical bug that can affect buyers, sellers and/or shops. Amazon Vulnerability Research Program rewards researchers with $150 for a minor issue and up to $20,000 maximum.
Bug bounty programs accept only good faith effort, meaning that malicious hackers are explicitly excluded. However, this is not the only thing to know before participating. The most common eligibility criteria include:
- Within the program scope. For example, a software manufacturer will not reward reports about bugs in their website’s code;
- Not public. A report that uses someone else’s findings most likely will be ignored;
- Not submitted by a person who cannot receive a payout from the company. This can mean a lot of things, from minors to sanctioned individuals — in other words, if you can’t use the product, chances are, you won’t be eligible for the reward, either;
- Does not cause damage and avoid privacy violations. Even if made on accident, this makes an individual a malicious hacker;
- Some companies explicitly reject reports on specific known issues like content spoofing or social engineering techniques.
Bug Bounty Program on ChangeHero
Due to popular demand, ChangeHero is excited to reintroduce a bug bounty program for security experts. We invite you to help us identify bugs and vulnerabilities and will reward you if it helps us deliver a more secure product.
The full bug bounty program terms are available on the website but the gist is
- The scope of accepted reports covers the ChangeHero website, API, and the widget. Cases pertaining to specific blockchains are accepted, too;
- Priority is given to vulnerability reports concerning issues with stability, security, and finance;
- We will not accept incomplete reports or reports as a result of any damage to the service or our clients;
- The rewards range from $100 for minor issues to $1,000 for a critical security vulnerability. Payments are made in BTC and are ruled out on a case-by-case basis. The evaluation of discovered vulnerabilities is left to the ChangeHero security team’s sole discretion.
ChangeHero has already had volunteers help us with security research. In a recent case, we have been approached by an anonymous researcher Mochi101 who helped us identify a possible attack vector. They have been compensated for their vigilance and effort in Bitcoin.
Reporting Security Vulnerabilities
So, do you feel up to the challenge? To submit a security bug to ChangeHero,
- Search for security vulnerabilities in the scope of the bug bounty program;
- Prepare a vulnerability report with respect to the eligibility criteria;
- Send it to ChangeHero support through the available contact channels — email or the chat widget on the website;
- Wait for a submission acknowledgment and a review from our security team.
Let’s work together: we eliminate security bugs and improve ChangeHero, and you receive rewards!
Drop Us A Line
We will be looking forward to your response, and don’t forget to share the news! Your feedback on the bug bounty program is also very welcome. Start with the ChangeHero website and get in touch with the Support team. Good luck!