Hacker, Researcher and Author.

Make Money by Reporting Bugs And Security Vulnerabilities

This is news for all researchers, hackers and developers. Now the lot of you can earn money by doing what you do best, search for vulnerabilities in sites and programs such as Facebook, Mozilla and PayPal. The first company to ever introduce this idea to the masses was Mozilla and soon after, Google followed suit. Facebook was the next in line. All these major shareholders of today's internet services began offering $500 worth of bounty ages ago. As the time passed, they too have increased their rewards paying as much as $3000 and above.


Facebook has started to follow in the footsteps of Mozilla and Google by launching a "bug bounty" program where people who find and report bugs and vulnerabilities can cash in on them. The "Responsible Disclosure Policy" program, through which researchers and developers can report flaws in the website, can reward up to $500 and above.

According to Facebook;

"If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you."

Bugs that you can submit to Facebook:
1. Cross-Site Scripting (XSS)
2. Cross-Site Request Forgery (CSRF/XSRF)
3. Remote Code Injection
4. Broken Authentication (including Facebook OAuth bugs)
5. Circumvention of Platform permission model
6. A bug that allows a third-party to view private user data

Basically, anyone can cash into this opportunity but to qualify you must:
1.Be the first person to privately report the bug
2. Reside in a country not under any current US sanctions
3. Must abide to the Responsible Disclosure Policy and
4. The bug found could potentially compromise the integrity or privacy of Facebook user data.

The following would lead to disqualification in the bug bounty program:
1. Denial-of-service vulnerabilities
2. Spam and social engineering techniques and
3. Bugs in third-party apps and websites and Facebook's corporate infrastructure.

To submit your report click here.


Bugs and vulnerabilities that you can submit to Google:
1. .google.com
2. .youtube.com
3. .bloggers. com
4. .orkut.com

Bugs that you can submit to Google:
1. Cross-site scripting
2. Cross-site request forgery
3. Cross-site script inclusion
4. Flaws in authetication and authorization mechanisms
5. Server-side code execution or command injection bugs.

The following would lead to disqualification in the bug bounty program:
1. Attacks against Google corporate infrastructure
2. Social engineering and attacks on physical facilities
3. Brute-force denial of service bugs
4. SEO techniques
5. Vulnerabilities in non-web applications
6. Vulnerabilities in Google-branded services operated by third parties.

Reward Amounts offer by Google:
accounts.google.comOther highly sensitive services [1]Normal Google applicationsNon-integrated acquisitions and other lower priority sites [2]
Remote code execution$20,000$20,000$20,000$5,000
SQL injection or equivalent$10,000$10,000$10,000$5,000
Significant authentication bypass or information leak$10,000$5,000$1,337$500
Typical XSS$3,133.7$1,337$500$100
XSRF, XSSI, and other common web flaws
$500 - $3,133.7
(depending on impact)
$500 - $1,337
(depending on impact)

You can send your report to security@google.com.


According to PayPal;

"To encourage responsible disclosure, we commit that - if we conclude that a disclosure respects and meets all the guidelines [outlined in the policy] - we will not bring a private action or refer a matter for public inquiry."

Bugs and vulnerabilities that you can submit to PayPal:

1. Cross-site scripting
2. Cross-site request forgery
3. SQL Injection
4 .Authentication ByPass.

To quality you must:

1. Be the first one to report the previously unknown bug.
2. Make sure that its a PayPal website.
3. Not send PayPal your personal information in your report and us a PGP key to encrypt your email.
4. If you are from a sanctioned country you will not be allowed to participate in this program.
5. eBay Inc. employees, contractors and their immediate relatives are not allowed to participate in the program.

You can send your report to sitesecurity@paypal.com.

This is your chance to cash into these amazing rewards. If you are a security researcher, then you are in for a big treat.


 About The Author

This article is written by Sindhia Javed Junejo. She is one of the core members of RHA team. 


  1. Very Nice one and good Explanation better to Review the URLs of Google Products
    EX : .bloggers. com --> www.blogger.com
    i think bloggers.com not owned by Google Inc




  2. do only these 3 sites pay for reporting?

  3. Thanks for sharing this article! A lot of those who are into software bug detection are surely grateful. Cheers!

  4. can you teach us to do this step by step ? :) thanks.


© 2016 All Rights Reserved by RHA Info Sec. Top

Contact Form


Email *

Message *

Powered by Blogger.