Company-Sponsored Initiatives

Company-sponsored programs are just what they sound like. It's not just large mega-corps that have bounty programs – a surprising number of businesses have a process for rewarding security contributions. The size of each company can drastically effect the requirements and conditions for a reward: large companies pay top dollar for vulnerabilities, but the low-hanging fruit of those flaws will already have been picked; start-ups will have less mature applications, but probably a smaller application attack surface, assembled from a newer stack with fewer known vulnerabilities, and might want to pay for contributions in swag. Companies that are mature enough to suffer from technical debt, but also have a budget to pay rewards, are a nice fit. Sometimes, though, you'll just have to poke around in different areas, taking your chances, to find your next vulnerability.

Here are some examples of the programs offered by larger companies.