Bug Bounty Website List

Product & Services (No Reward)

• Amazon Web Services (AWS) -http://aws.amazon.com/security/vulnerability-reporting
• Apriva - http://www.apriva.com/security
• Authy - https://www.authy.com/security-issue
• Blackboard -http://www.blackboard.com/footer/security-policy.aspx
• Box - https://www.box.com/about-us/security/
• Cisco -http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html#roosfassv
• Cloudnetz -http://cloudnetz.com/Legal/vulnerability-testing-policy.html
• Contant Contact -http://www.constantcontact.com/about-constant-contact/security/report-vulnerability.jsp
• Coupa -http://trust.coupa.com/home/security/coupa-vulnerability-reporting-policy
• Drupal - https://drupal.org/security-team
• EMC² - http://www.emc.com/contact-us/contact/product-security-response-center.htm
• Emptrust -http://www.emptrust.com/Security.aspx
• Heroku -https://www.heroku.com/policy/security-hall-of-fame
• HTC - http://www.htc.com/us/terms/product-security/
• Huawei -http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm
• IBM - http://www-03.ibm.com/security/secure-engineering/report.html
• KPN -http://www.kpn.com/Privacy.htm#tabcontent3
• Lievensberg Hospital -http://www.lievensbergziekenhuis.nl/paginas/141-disclaimer.html
• LinkedIn -http://help.linkedin.com/app/answers/detail/a_id/37022
• Lookout -https://www.lookout.com/responsible-disclosure
• Millsap Independent School District -http://www.millsapisd.net/BugReport.cfm
• Modus CSR -http://www.moduscsr.com/security_statement.php
• PagerDuty -http://www.pagerduty.com/security/disclosure/
• Panzura - http://panzura.com/support/panzura-security-policy/
• Pidgin - http://pidgin.im/security/
• Plone -http://plone.org/products/plone/security/advisories
• Pop Group -http://www.popgroupglobal.com/security.php
• Reddit -http://code.reddit.com/wiki/help/whitehat
• Relaso - http://relaso.com/disclosure
• Salesforce -http://www.salesforce.com/company/privacy/security.jsp#vulnerability
• Simplify - http://simplify-llc.com/simplify-security.html
• Skoodat - http://www.skoodat.com/security
• Scorpion Software -http://www.scorpionsoft.com/company/disclosurepolicy/
• Square - https://squareup.com/security/levels
• Symantec -http://www.symantec.com/security/
• Team Unify -http://www.teamunify.com/__corp__/security.php
• Tele2 -http://www.tele2.nl/klantenservice/veiligheid/tele2-en-veiligheid.html
• T-Mobile (Netherlands) - http://www.t-mobile.nl/Global/media/pdf/privacy_statement_juni_2012.pdf
• UPC -http://www.upc.nl/internet/veilig_internet/beveiligingsproblemen/
• Viadeo - http://www.viadeo.com/aide/security/
• Vodafone (Netherlands) -http://over.vodafone.nl/vodafone-nederland/privacy-veiligheid/beveiliging-en-bescherming/wat-doet-vodafone/meld-een-beveilig
• VSR -http://www.vsecurity.com/company/disclosure
• X.commerce - http://www.x.com/security
• Xen -http://www.xen.org/projects/security_vulnerability_process.html
• Ziggo -https://www.ziggo.nl/#klantenservice/internet/risicos-op-internet/meldpunt-beveiligingslekken

Product & Services (Hall Of Fame Only)

• Acquia - https://www.acquia.com/how-report-security-issue
• ActiveProspect -http://activeprospect.com/activeprospect-security/
• Adobe -http://www.adobe.com/support/security/alertus.html
• Amazon.com (retail) - please email details tosecurity@amazon.com
• Android Free Apps -http://www.androidfreeapp.net/security-researcher-acknowledgments/
• Apple - http://support.apple.com/kb/HT1318
• Blackberry -http://us.blackberry.com/business/topics/security/incident-response-team/collaborations.html
• Braintree -https://www.braintreepayments.com/developers/disclosure
• Card - https://www.card.com/responsible-disclosure-policy
• cPaperless -http://www.cpaperless.com/securitystatement.aspx
• Chargify - https://chargify.com/security/
• DiMartino Entertainment -http://moosikay.dimartinoentertainment.com/site/credits/
• eBay - http://pages.ebay.com/securitycenter
• EVE -http://community.eveonline.com/devblog.asp?a=blog&nbid=2384
• Evernote - http://evernote.com/security/
• Foursquare -https://foursquare.com/about/security
• Freelancer -http://www.freelancer.com/info/vulnerability-submission.php
• Future Of Enforcement -http://futureofenforcement.com/?page_id=695
• Gitlab - http://blog.gitlab.com/responsible-disclosure-policy/
• Gliph - https://gli.ph/s/security.html
• HakSecurity - http://haksecurity.com/special-thanks/
• Harmony - http://get.harmonyapp.com/security/
• Heroku -https://www.heroku.com/policy/security-hall-of-fame
• Iconfinder -http://support.iconfinder.com/customer/portal/articles/1217282-responsible-disclosure-of-security-vulnerabilities
• Kaneva -http://docs.kaneva.com/mediawiki/index.php/Bug_Bounty
• Kayako - https://my.kayako.com/
• Lastpass -https://lastpass.com/support_security.php
• Mahara - https://wiki.mahara.org/index.php
• MailChimp -http://mailchimp.com/about/security-response/
• Microsoft (Online Services) -http://technet.microsoft.com/en-us/security/cc308589
• Netflix -http://support.netflix.com/en/node/6657#gsc.tab=0
• Nokia -http://www.nokia.com/global/security/acknowledgements/
• Nokia Siemens Networks -http://www.nokiasiemensnetworks.com/about-us/responsible-disclosure
• Norada - http://norada.com/crm-software/security_response
• Owncloud -http://owncloud.org/about/security/hall-of-fame/
• Opera - https://bugs.opera.com/wizarddesktop/
• Oracle -http://:oracle.com/technetwork/topics/security
• Puppet Labs -https://puppetlabs.com/security/acknowledgments/
• RedHat -https://access.redhat.com/knowledge/articles/66234
• Risk.io - https://www.risk.io/security
• Security Net -http://www.securitynet.org/security-researcher-acknoledgments/
• Sellfy - https://sellfy.com/security/
• Spotify - https://www.spotify.com/us/about-us/contact/report-security-issues/
• Sprout Social -http://sproutsocial.com/responsible-disclosure-policy
• Telekom - http://www.telekom.com/corporate-responsibility/security/186450
• Thingomatic -http://thingomatic.org/security.html
• 37signals - https://37signals.com/security-response
• Tuenti - http://corporate.tuenti.com/en/dev/hall-of-fame
• Twilio -https://www.twilio.com/docs/security/disclosure
• Twitter - https://twitter.com/about/security
• WizeHive -http://www.wizehive.com/special_thanks.html
• Xmarks - https://buy.xmarks.com/security.php
• Zendesk -http://www.zendesk.com/company/responsible-disclosure-policy
• Zynga -http://company.zynga.com/security/whitehats

Reward Program

• AT&T -http://developer.att.com/developer/apiDetailPage.jsp?passedItemId=10700235 -

(To submit you need to sign up to the free
Developer API program)

• Avast! - http://www.avast.com/bug-bounty
• Barracuda - http://barracudalabs.com/
• Coinbase - https://coinbase.com/whitehat
• Chromium Project -http://www.chromium.org/
• CrowdShield - https://crowdshield.com/

• Cryptocat - https://crypto.cat/bughunt/
• Facebook -http://www.facebook.com/whitehat/
• Etsy - http://www.etsy.com/help/article/2463
• Gallery - http://codex.gallery2.org/Bounties
• Ghostscript -http://ghostscript.com/Bug_bounty_program.html(Mostly software development, occasional security issues)
• Google -http://www.google.com/about/company/rewardprogram.html
• Hex-Rays - http://www.hex-rays.com/bugbounty.shtml
• IntegraXor (SCADA) -http://www.integraxor.com/blog/integraxor-hmi-scada-bug-bounty-program
• LaunchKey -https://launchkey.com/docs/whitehat
• Marktplaats -http://statisch.marktplaats.nl/help/
• Mega.co.nz -http://thenextweb.com/insider/2013/02/01/kim-dotcom-puts-up-13500-bounty-for-first-person-to-break-megas-security-system/
• Meraki - http://www.meraki.com/trust/#srp
• Microsoft -http://www.microsoft.com/security/msrc/report
• Mozilla - http://www.mozilla.org/security/bug-bounty.html
• Paypal -https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues
• PikaPay - https://www.pikapay.com/pikapay-security-policy/
• Piwik - http://piwik.org/security/
• Ricebridge -http://www.ricebridge.com/bugs.htm (Only available to customers)
• Ripple - https://ripple.com/bug-bounty/
• Samsung - https://samsungtvbounty.com/
• Simple -https://www.simple.com/policies/website-security/
• Tarsnap -https://www.tarsnap.com/bugbounty.html
• Qiwi - https://www.qiwi.ru/page/hack.action
• Qmail - http://cr.yp.to/djbdns/guarantee.html
• Yandex -http://company.yandex.com/security/index.xml
• Zerobrane -http://notebook.kulchenko.com/zerobrane/zerobrane-studio-bug-bounty

Source : Bugcrowd