This page is built for scanning fast, not fighting a wall of cards.
Use search and filters to narrow the list, then compare payout ceiling, focus area, geography, and whether a platform is public or invite-only. If you're choosing where to spend time, start with fit first, then payout.
- Tier S: biggest upside, hardest competition, strongest brands.
- Tier A: serious programs with real money and a better balance of access and value.
- Tier B/C: regional, niche, or emerging platforms that can still be very worth it.
Tier S — Elite Earning Potential
$100,000+ bounties possible. Home to the world's largest programs and DeFi protocol audits worth millions.
The world's largest bug bounty platform with 2,000+ programs and $300M+ paid to hackers. Home to Google, Microsoft, and Department of Defense programs with six-figure bounties.
Second-largest crowdsourced security platform with programs from Tesla, Mastercard, OpenAI, and hundreds of Fortune 500 companies. Strong enterprise and government presence.
The #1 blockchain/DeFi bug bounty platform with $100M+ paid out. Programs from Ethereum Foundation, Polygon, and Chainlink offer up to $10M per bug. Critical vulns are worth fortunes here.
Competitive smart contract audit platform where top auditors earn $50K–$500K per contest. Battle-tested by Uniswap, ENS, and Compound. The premier arena for DeFi security researchers.
Europe's leading bug bounty platform with 900+ researchers and programs from Proximus, ING, and EU institutions. Top GDPR-compliant choice for European enterprises with six-figure programs.
DeFi-native security platform combining competitive audits with on-chain coverage protocols. Auditors can earn $20K–$200K per contest auditing cutting-edge DeFi protocols.
Elite invite-only platform serving the US Department of Defense, DARPA, and Fortune 100 companies. Vetted researchers earn among the highest rates in the industry through classified programs.
A distributed security firm of top-tier smart contract auditors. Audits major protocols like OpenSea, Yearn, and Lido. Top auditors earn $150K+ on flagship engagements.
Tier A — High Earning Potential
$10,000–$100,000 typical top bounties. Includes major corporate VRPs, regional powerhouses, and specialized audit platforms.
Google's Vulnerability Reward Program covers Chrome, Android, and all Google products. Top payouts reach $150K+ for critical Android and Chrome bugs. Paid $12M+ in 2023 alone.
Microsoft Security Response Center with bounties up to $250K for Azure, M365, and Windows. The Hyper-V bounty is one of the largest single-bug rewards in the industry.
Apple's private bug bounty program offers up to $1M for zero-click full chain exploits on iOS. iCloud, macOS, and Secure Enclave vulnerabilities command some of the highest bounties in the industry.
Europe's second-largest platform with 45,000+ ethical hackers and clients including BNP Paribas, Airbus, and the French government. Strong compliance with EU data sovereignty requirements.
Pentest-as-a-Service leader with 450+ vetted pentesters (Cobalt Core). Used by Zuora, Mimecast, and Palo Alto Networks. Structured pentests deliver consistent, high-quality findings with remediation guidance.
Trend Micro's vulnerability acquisition program — the world's largest independent vendor-agnostic VRP. Buys vulnerabilities in enterprise software and coordinates responsible disclosure. Pwn2Own sponsor.
Leading Web3 security platform combining formal verification, audits, and bug bounties. Has audited $300B+ in assets. Skynet monitors live on-chain activity for real-time threat detection.
Curated smart contract security platform with competitive audits and managed reviews. Founded by former Paradigm and Spearbit researchers. Attracts elite DeFi auditors with top-tier payouts.
Cyfrin's competitive audit platform with First Flights (learning) and full competitive contests. Strong community of upcoming auditors. Notable contests paying $50K+ for leading protocols.
Decentralized bug bounty protocol where projects stake tokens in vaults. Researchers earn from on-chain vault payouts, creating trustless, autonomous bounty distribution without middlemen.
Leading crypto-focused bug bounty platform from Hacken. Hosts programs for Binance, Crypto.com, and NEAR Protocol. Specializes in Web3 and crypto-native organizations with competitive bounty pools.
GitHub's vulnerability reward program covering GitHub.com, GitHub Enterprise, and GitHub Actions. Critical findings on the platform used by 100M+ developers earn substantial bounties up to $30K+.
Samsung's Mobile Security Rewards Program offers up to $1M for arbitrary code execution on Galaxy devices in secure boot environments. One of the richest mobile-focused VRPs outside Apple.
Unique attack surface management platform with crowdsourced security modules. Elite researchers submit modules that power Detectify's continuous scanning for thousands of enterprise clients. Ongoing passive income model.
One of the most respected corporate bug bounty programs on HackerOne. Shopify has paid $1M+ to researchers and is known for quick triage, fair bounties, and a researcher-first culture.
Tesla's vehicle and infrastructure bug bounty on Bugcrowd covers the Tesla network, vehicle software, and Autopilot systems. Automotive OEM bugs are rare and well-compensated — full vehicle exploits earn $15K+.
French elite crowdsourced security platform with invite-only researcher community. Serves major French banks, telecoms, and government agencies. Strong NIS2/DORA compliance capabilities.
World's first AI/ML bug bounty platform, acquired by Protect AI. Specializes in vulnerabilities in open-source ML libraries (Hugging Face, TensorFlow, PyTorch). Critical in the booming AI security space.
GitLab's public HackerOne program is fully open-source friendly and includes the GitLab.com SaaS and self-managed product. Known for quick response times and comprehensive scope including CI/CD pipelines.
European smart contract security platform combining automated analysis with competitive community audits. Transparent leaderboard system rewards top auditors. Growing DeFi and NFT client base.
Blockchain-powered bug bounty platform headquartered in Singapore. Uses NGL token incentive structures. Strong presence in APAC fintech and crypto organizations with time-limited competitive contests.
Atlassian's Bugcrowd program covers Jira, Confluence, Bitbucket, and Trello used by millions of enterprises. Critical vulnerabilities in its cloud products that affect data isolation earn high bounties.
Tier B — Solid Earning Potential
$1,000–$10,000 typical top bounties. Regional platforms, specialized sectors, and emerging market leaders.
Switzerland's leading bug bounty platform serving Swiss banking, fintech, and government sectors. Strong compliance with Swiss data protection laws. Growing community of DACH-region security researchers.
Swiss-based platform focused on DACH market enterprises and government organizations. Offers structured bug bounty programs with compliance-oriented reporting for regulated industries like finance and healthcare.
Swiss security consultancy running targeted bug bounty programs. Specializes in critical infrastructure and financial sector security assessments. Combined consulting and crowdsourced model for Swiss enterprises.
Central European bug bounty platform serving Hungarian and CEE organizations. Growing researcher community with leaderboard incentives. Unique regional positioning for Eastern European enterprise clients.
Central and Eastern European bug bounty platform with GDPR-compliant infrastructure. Serves regional governments, banks, and telcos. Strong community with transparent leaderboard and program catalog.
Swiss-founded platform bridging European and Latin American security markets. Unique bilingual (EN/ES) approach for DACH and LatAm organizations. Regulatory compliance focus for fintech and e-commerce sectors.
Multi-region platform bridging US, European, and Turkish markets. Offers both bug bounty and VDP program types with transparent researcher rankings. Cost-effective for SMEs entering crowdsourced security.
US-based platform offering budget-friendly managed bug bounty programs for startups and SMEs. Combines program management with researcher triage. Good entry point for companies new to crowdsourced security.
India's leading bug bounty platform serving homegrown startups and enterprises. AI-powered triage and vulnerability management. Strong community of Indian security researchers with growing global program list.
Middle East's leading bug bounty platform based in Dubai. Serves regional government entities, telecom companies, and fintech organizations. Growing community bridging MENA-region security talent with enterprise clients.
Combined CTF and bug bounty platform focused on MENA and Africa. Includes certification pathways, training, and live bug bounty programs. Major pipeline for regional security talent into enterprise programs.
World's largest WordPress vulnerability database and bug bounty platform. Coordinates responsible disclosure for 60,000+ WordPress plugins and themes. Critical source for WP security intelligence.
Wordfence's WordPress-focused bug bounty paying for plugin and theme vulnerabilities. With 100M+ WordPress sites globally, the attack surface is enormous. High-severity findings earn $10K+ with coordinated disclosure bonuses.
Indonesia's top bug bounty platform with a large community of local security researchers. Serves Indonesian government portals, banks, and tech unicorns. Strong CTF integration and researcher training programs.
Australian boutique bug bounty platform for Asia-Pacific organizations. Vetted researcher community with Australian data sovereignty compliance. Serves financial services, healthcare, and government sectors in APAC.
Australian-born bug bounty SaaS platform serving APAC enterprises. Self-service program setup with streamlined triage workflows. Good option for Australian companies wanting local data residency with global researcher access.
India-based bug bounty and security intelligence platform with compliance-focused reporting. Researcher community scoring and verified disclosure certificates. Growing presence in South Asian enterprise market.
US-based managed bug bounty platform combining human pentesting with crowdsourced researchers. Offers comprehensive vulnerability management with integrations to Jira and ServiceNow for enterprise workflows.
Global bug bounty platform with full public program directory and researcher leaderboard. Focus on transparency and open program listings. Appeals to independent researchers seeking public programs without invite requirements.
German vulnerability research platform and coordination body with 15+ years of history. Large archive of public disclosures and an active researcher community. Widely used for German enterprise VDP programs.
Dutch managed bug bounty platform with compliance-first approach. Serves Dutch government ministries, banks (ING, ABN AMRO), and tech companies. Strong focus on responsible disclosure and GDPR-compliant processes.
Southeast Asia's leading bug bounty platform headquartered in the Philippines. Serves regional fintech, e-commerce, and government organizations. Growing ASEAN researcher community with localized support.
Vietnam's premier bug bounty platform by CyStack. Hosts programs from leading Vietnamese banks, telecoms, and tech companies. Strong researcher community across Southeast Asia with transparent public programs.
Smart contract audit platform combining AI-powered analysis with competitive audit contests. Serves Solana and EVM projects with a growing auditor community. Accessible entry point for new blockchain security auditors.
Japanese open-source bug bounty and feature request platform. Funds both vulnerability fixes and feature development in open-source projects. Unique crowd-funded bounty model where community members pool rewards for issues.
Free and open non-commercial VDP platform with 30K+ programs and 2M+ reports submitted. Hosts the largest number of VDP programs globally. CVE assignment, ISO 29147-compliant workflows at no cost to organizations.
Balkans-based bug bounty platform tapping into the region's growing security talent pool. Serves regional enterprises and provides pathways for Western Balkan researchers into global security programs.
Nordic-region managed bug bounty and VDP platform. Serves Scandinavian banks, telcos, and government agencies requiring GDPR-compliant, locally managed security programs. Fully DAST-integrated workflows.
US-based competitive bug bounty platform with leaderboard gamification and researcher reputation scoring. Focuses on transparent program management and fair, consistent reward structures for both researchers and organizations.
Singapore-based elite bug bounty platform with a highly vetted private researcher community. Serves Singapore government agencies, MAS-regulated financial institutions, and ASEAN tech companies.
Indonesian bug bounty platform with a community-first approach. Bridges Indonesia's large security researcher community with domestic and regional enterprise clients. Active program listings with transparent scope definitions.
Next-generation bug bounty platform with streamlined UX and modern program management tools. Public hunt portal with growing list of programs. Fresh approach to researcher experience with fast, transparent triage processes.
Multi-regional platform covering Europe and Latin America with bilingual program support. Transparent researcher leaderboards and public program catalog. Growing cross-market presence for organizations targeting both regions.
Indian bug bounty platform with enterprise-grade program management. Serves domestic companies seeking vetted Indian security researchers. Compliance-oriented reporting for RBI-regulated and SEBI-regulated organizations.
Iran's leading bug bounty platform connecting domestic security researchers with Persian-speaking enterprises. Localised program management with Farsi-language support. Unique gateway to Iran's large security talent pool.
Latin American bug bounty platform headquartered in Chile. Serves South American banks, fintechs, and government portals. Spanish-language platform bridging LatAm security talent with the region's growing digital economy.
Vietnamese vulnerability disclosure and bug bounty platform with public leaderboard. Serves Vietnamese enterprises seeking domestic researchers familiar with local regulatory environments and business contexts.
Korean bug bounty and VDP platform serving South Korean enterprises, gaming companies, and e-commerce platforms. Localized Korean-language experience bridging domestic security researchers with major Korean brands.
Mozilla's AI/LLM-focused bug bounty platform. Targets vulnerabilities in large language models, AI systems, and generative AI infrastructure. At the frontier of a rapidly growing security discipline for AI systems.
Australian blockchain security firm offering smart contract audits and bug bounty programs. Serves APAC Web3 projects seeking local timezone support and regulatory compliance for DeFi and NFT platforms.
Tier C — Emerging & VDP Platforms
$100–$1,000 or reputation-based rewards. Government VDPs, regional platforms, and nascent ecosystems building the global security community.
US CISA's coordinated vulnerability disclosure platform for civilian federal agencies. Non-monetary but carries significant credibility. Covers .gov domains and critical US infrastructure.
UK National Cyber Security Centre's VDP for government systems. Non-monetary recognition. Key program for researchers targeting .gov.uk infrastructure and UK critical national infrastructure.
Australian Government's coordinated VDP for federal agency systems. Part of Australia's cyber resilience strategy. Non-monetary recognition for responsible disclosure to government assets.
Singapore GovTech's VDP covering all government digital services. One of Asia's most mature government VDP programs with structured response and public researcher acknowledgements.
Switzerland's National Cyber Security Centre vulnerability reporting program for federal systems. Part of Switzerland's proactive national cybersecurity approach with structured responsible disclosure processes.
Dutch Institute for Vulnerability Disclosure — a volunteer collective scanning the internet for vulnerabilities. Coordinates responsible disclosure globally. No monetary rewards but huge public impact and community recognition.
Russia's leading corporate bug bounty platform by BI.ZONE (Sberbank subsidiary). Serves major Russian enterprises and state corporations. Access to Russian-speaking security researchers and domestic program infrastructure.
Positive Technologies' platform linked to the famous Standoff cyberrange events. Merges CTF competition culture with live bug bounty programs. Strong Russian cybersecurity community engagement.
Russian-language bug bounty platform serving domestic enterprises and government-adjacent organizations. One of the earliest dedicated platforms for the Russian-speaking security community with public and private programs.
360 Security's major bug bounty platform ("Patch the Sky") — one of China's largest vulnerability disclosure platforms. Serves hundreds of Chinese enterprises. Top domestic security talent hub with massive researcher community.
Chinese bug bounty and vulnerability intelligence platform by Pwnzen. Competitive seasonal leaderboards and large public program catalog. Integrates with threat intelligence for Chinese enterprise clients.
Japan's dedicated bug bounty platform serving domestic enterprises in Japanese. Bridges Japan's security researchers with domestic companies less accessible through global platforms. Localised Japanese-language workflows.
Saudi Arabia's national bug bounty platform aligned with Vision 2030 digital transformation goals. Serves Saudi government entities, banks, and telcos. Growing community of GCC-region security researchers.
Armenia's bug bounty platform serving domestic tech companies and startups. Taps into Armenia's thriving tech ecosystem and talented security research community. Emerging platform in the South Caucasus region.
Brazil's leading bug bounty platform with programs from major banks (Banco do Brasil, Itaú), fintechs, and enterprises. Largest Latin American security researcher community. Portuguese-language with public leaderboard.
Open-source self-hosted VDP platform from Gero Security (Indonesia). Organizations can run their own bug bounty/VDP infrastructure without third-party dependency. Free to use, fork, and customize for any organization.
Africa's emerging bug bounty platform based in Kenya. Serves African fintech, telecoms, and mobile money platforms. Tapping into the continent's growing security talent and bringing African organizations into crowdsourced security.
Nepal's first dedicated bug bounty platform for domestic tech companies and startups. Active Nepali security community with public leaderboard. Pathway for South Asian researchers into regional enterprise programs.
New Zealand's bug bounty platform for Kiwi businesses and government entities. Provides data sovereignty and local researcher engagement for NZ organizations preferring domestic security testing programs.
Nigerian cybersecurity platform combining bug bounty programs with security training. Serves West African enterprises and fintechs. Developing Nigeria's security research community through training, CTFs, and live programs.
China's leading blockchain security firm with its own bug bounty coordination program. Specializes in exchange hacks, DeFi exploits, and Web3 security. Major incident responder for Asian crypto ecosystem breaches.
Indian bug bounty platform for SMEs and startups entering crowdsourced security. Cost-effective program management with pre-screened Indian security researchers. Good entry point for Indian tech companies launching first programs.
Malaysian bug bounty platform connecting domestic researchers with local enterprises. Serves Malaysian banks, government agencies, and telcos. Localized support for Bahasa Malaysia-speaking clients and researchers.
LRQA Nettitude's managed bug bounty platform for UK and European enterprises. CREST-accredited methodology with compliance-oriented deliverables. Combines traditional consulting with crowdsourced testing for regulated industries.
UK-based bug bounty platform for British enterprises seeking local data residency and compliance. Private program management with vetted researcher onboarding. Growing presence in UK fintech and media sectors.
Crowdsourcing platform with security challenge tracks alongside coding and design. Bug bounty is a subset of Topcoder's broader 1.8M+ member crowd-talent platform. Useful for organizations wanting integrated dev+security testing.
German crowd testing platform with 700K+ testers worldwide combining QA, usability, and security testing. Security tracks available for European enterprises wanting functional and security testing in one engagement.
Uber's HackerOne program covering Uber.com, Uber Eats, and driver/rider apps. Post-breach improvements made it a model for corporate responsibility. Scope covers mobile apps, APIs, and rideshare platform infrastructure.
Latin American bug bounty platform from Chile. Serves South American banks, fintechs, and government portals. Spanish-language platform bridging LatAm security talent with the region's growing digital economy.
Netherlands NCSC's coordinated vulnerability disclosure — a model that helped establish European CVD best practices. Non-monetary but globally influential for responsible disclosure policy. Covers Dutch government systems.