PRODUCTS AND SERVICES (REWARD OFFERED)
- Bugcrowd - https://portal.bugcrowd.com/sign_up/
- AT&T - http://developer.att.com/developer/apiDetailPage.jsp?passedItemId=10700235 (To submit you need to sign up to the free Developer API program)
- Avast! - http://www.avast.com/bug-bounty
- Barracuda - http://barracudalabs.com/?page_id=3456
- Chromium Project - http://www.chromium.org/Home/chromium-security/vulnerability-rewards-program
- Coinbase - https://coinbase.com/whitehat
- Cryptocat - https://crypto.cat/bughunt/
- Etsy - http://www.etsy.com/help/article/2463
- Facebook - http://www.facebook.com/whitehat/bounty/
- Gallery - http://codex.gallery2.org/Bounties
- Ghostscript - http://ghostscript.com/Bug_bounty_program.html (Mostly software development, occasional security issues)
- Google - http://www.google.com/about/company/rewardprogram.html
- Heroku - https://policy.heroku.com/security
- Hex-Rays - http://www.hex-rays.com/bugbounty.shtml
- Kraken - https://www.kraken.com/security/bug-bounty
- LaunchKey - https://launchkey.com/docs/whitehat
- Marktplaats - http://statisch.marktplaats.nl/help/responsible_disclosure_policy_en.html
- Mega.co.nz - http://thenextweb.com/insider/2013/02/01/kim-dotcom-puts-up-13500-bounty-for-first-person-to-break-megas-security-system/
- Meraki - http://www.meraki.com/trust/#srp
- Meta Calculator - http://www.meta-calculator.com/blog/bug-bounty-program/
- Microsoft - http://www.microsoft.com/security/msrc/report/bountyprograms.aspx
- Mozilla - http://www.mozilla.org/security/bug-bounty.html
- National Cyber Security Center (Netherlands) - https://www.ncsc.nl/security
- Olark - http://www.olark.com/customer/portal/articles/1237352
- Paypal - https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues
- PikaPay - https://www.pikapay.com/pikapay-security-policy/
- Piwik - http://piwik.org/security/
- Qiwi - https://www.qiwi.ru/page/hack.action
- Qmail - http://cr.yp.to/djbdns/guarantee.html
- Ricebridge - http://www.ricebridge.com/bugs.htm (Only available to customers)
- Ripple - https://ripple.com/bug-bounty/
- Samsung - https://samsungtvbounty.com/
- Simple - https://www.simple.com/policies/website-security/
- Tarsnap - https://www.tarsnap.com/bugbounty.html
- Yandex - http://company.yandex.com/security/index.xml
- Zerobrane - http://notebook.kulchenko.com/zerobrane/zerobrane-studio-bug-bounty
PRODUCT AND SERVICES (HALL OF FAME + SWAG)
- Atlassian - https://confluence.atlassian.com/display/SUPPORT/How+to+Report+a+Security+Issue
- Attack Secure - http://attack-secure.com/whitehat/
- Engineyard - https://www.engineyard.com/legal/responsible-disclosure-policy
- Github - https://help.github.com/articles/responsible-disclosure-of-security-vulnerabilities
- ifixit - http://www.ifixit.com/Info/Responsible_Disclosure
- Paymill - https://www.paymill.com/en-gb/support-3/worth-knowing/security/
- Pinterest - http://about.pinterest.com/terms/responsible-disclosure/
- Schuberg Philis - http://www.schubergphilis.com/newsroom/library/downloads-policies/responsible-disclosure-policy/
- Soundcloud - http://help.soundcloud.com/customer/portal/articles/439715-responsible-disclosure
- Yahoo - http://security.yahoo.com/reporting-security-issues-yahoo-000000016.html
PRODUCT AND SERVICES (HALL OF FAME ONLY)
- 37signals - https://37signals.com/security-response
- Acquia - https://www.acquia.com/how-report-security-issue
- ActiveProspect - http://activeprospect.com/activeprospect-security/
- Adobe - http://www.adobe.com/support/security/alertus.html
- Android Free Apps - http://www.androidfreeapp.net/security-researcher-acknowledgments/
- Apple - http://support.apple.com/kb/HT1318
- Base - https://getbase.com/security/
- Blackberry - http://us.blackberry.com/business/topics/security/incident-response-team/collaborations.html
- Braintree - https://www.braintreepayments.com/developers/disclosure
- Card - https://www.card.com/responsible-disclosure-policy
- Chargify - https://chargify.com/security/
- Constant Contact - http://www.constantcontact.com/about-constant-contact/security/report-vulnerability.jsp
- cPaperless - http://www.cpaperless.com/securitystatement.aspx
- Digital Ocean - https://www.digitalocean.com/security
- DiMartino Entertainment - http://moosikay.dimartinoentertainment.com/site/credits/
- Dropbox - https://www.dropbox.com/special_thanks
- eBay - http://pages.ebay.com/securitycenter/ResearchersAcknowledgement.html
- EVE - http://community.eveonline.com/devblog.asp?a=blog&nbid=2384
- Evernote - http://evernote.com/security/
- Foursquare - https://foursquare.com/about/security
- Freelancer - http://www.freelancer.com/info/vulnerability-submission.php
- Future Of Enforcement - http://futureofenforcement.com/?page_id=695
- Gitlab - http://blog.gitlab.com/responsible-disclosure-policy/
- Gittip - https://www.gittip.com/security.txt
- Gliph - https://gli.ph/s/security.html
- HakSecurity - http://haksecurity.com/special-thanks/
- Harmony - http://get.harmonyapp.com/security/
- Iconfinder - http://support.iconfinder.com/customer/portal/articles/1217282-responsible-disclosure-of-security-vulnerabilities
- Kaneva - http://docs.kaneva.com/mediawiki/index.php/Bug_Bounty
- Kayako - https://my.kayako.com/Knowledgebase/Article/View/853/0/security-vulnerability-fix-and-patch-policy
- lastpass - https://lastpass.com/support_security.php
- Mahara - https://wiki.mahara.org/index.php/Contributors#Security_Researchers
- MailChimp - http://mailchimp.com/about/security-response/
- Microsoft (Online Services) - http://technet.microsoft.com/en-us/security/cc308589
- Netflix - http://support.netflix.com/en/node/6657#gsc.tab=0
- Nitrous.IO - http://help.nitrous.io/admin-security-response/
- Nokia - http://www.nokia.com/global/security/acknowledgements/
- Nokia Siemens Networks - http://www.nokiasiemensnetworks.com/about-us/responsible-disclosure
- Norada - http://norada.com/crm-software/security_response
- Open Text - http://opentext.com/2/global/company/security-acknowledgements.htm
- Opera - https://bugs.opera.com/wizarddesktop/
- Oracle - http://oracle.com/technetwork/topics/security/securityfixlifecycle-086982.html
- Owncloud - http://owncloud.org/about/security/hall-of-fame/
- Pocket - http://help.getpocket.com/customer/portal/articles/1225832-pocket-security-overview
- Puppet Labs - https://puppetlabs.com/security/acknowledgments/
- RedHat - https://access.redhat.com/knowledge/articles/66234
- Risk.io - https://www.risk.io/security
- Security Net - http://www.securitynet.org/security-researcher-acknoledgments/
- Sellfy - https://sellfy.com/security/
- Shopify - https://www.shopify.com/security-response
- Sonatype - http://www.sonatype.com/contact/report-a-security-issue
- Spotify - https://www.spotify.com/us/about-us/contact/report-security-issues/
- Sprout Social - http://sproutsocial.com/responsible-disclosure-policy
- Telekom - http://www.telekom.com/corporate-responsibility/security/186450
- Thingomatic - http://thingomatic.org/security.html
- Tuenti - http://corporate.tuenti.com/en/dev/hall-of-fame
- Twilio - https://www.twilio.com/docs/security/disclosure
- Twitter - https://twitter.com/about/security
- WizeHive - http://www.wizehive.com/special_thanks.html
- Xmarks - https://buy.xmarks.com/security.php
- Zendesk - http://www.zendesk.com/company/responsible-disclosure-policy
- Zynga - http://company.zynga.com/security/whitehats
PRODUCTS AND SERVICES (NO REWARD)
- Airbnb - https://www.airbnb.com/help/policies/responsible_disclosure#responsible_disclosure_policy
- Amazon.com - (please email details to security@amazon.com)
- Amazon Web Services - http://aws.amazon.com/security/vulnerability-reporting
- Apriva - http://www.apriva.com/security
- Asana - https://asana.com/security
- Authy - https://www.authy.com/security-issue
- Avira - http://www.avira.com/en/support-vulnerability
- Blackboard - http://www.blackboard.com/footer/security-policy.aspx
- Box - https://www.box.com/about-us/security/
- Cisco - http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html#roosfassv
- Cloudnetz - http://cloudnetz.com/Legal/vulnerability-testing-policy.html
- Coupa - http://trust.coupa.com/home/security/coupa-vulnerability-reporting-policy
- Drupal - https://drupal.org/security-team
- EMC2 - http://www.emc.com/contact-us/contact/product-security-response-center.htm
- Emptrust - http://www.emptrust.com/Security.aspx
- HoneyDocs - https://www.honeydocs.com/bounty (Reward: Free HoneyDocs plan)
- HTC - http://www.htc.com/us/terms/product-security/
- Huawei - http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm
- IBM - http://www-03.ibm.com/security/secure-engineering/report.html
- KPN - http://www.kpn.com/Privacy.htm#tabcontent3
- Lievensberg Hospital - http://www.lievensbergziekenhuis.nl/paginas/141-disclaimer.html
- LinkedIn - http://help.linkedin.com/app/answers/detail/a_id/37022
- Lookout - https://www.lookout.com/responsible-disclosure
- Millsap Independent School District - http://www.millsapisd.net/BugReport.cfm
- Modus CSR - http://www.moduscsr.com/security_statement.php
- PagerDuty - http://www.pagerduty.com/security/disclosure/
- Panzura - http://panzura.com/support/panzura-security-policy/
- Pidgin - http://pidgin.im/security/
- Plone - http://plone.org/products/plone/security/advisories
- Pop Group - http://www.popgroupglobal.com/security.php
- Reddit - http://code.reddit.com/wiki/help/whitehat
- Relaso - http://relaso.com/disclosure
- Salesforce - http://www.salesforce.com/company/privacy/security.jsp#vulnerability
- Scorpion Software - http://www.scorpionsoft.com/company/disclosurepolicy/
- Simplify - http://simplify-llc.com/simplify-security.html
- Skoodat - http://www.skoodat.com/security
- Square - https://squareup.com/security/levels
- Symantec - http://www.symantec.com/security/
- Team Unify - http://www.teamunify.com/__corp__/security.php
- Tele2 - http://www.tele2.nl/klantenservice/veiligheid/tele2-en-veiligheid.html
- UPC - http://www.upc.nl/internet/veilig_internet/beveiligingsproblemen/
- Viadeo - http://www.viadeo.com/aide/security/
- Vodafone (Netherlands) - http://over.vodafone.nl/vodafone-nederland/privacy-veiligheid/beveiliging-en-bescherming/wat-doet-vodafone/meld-een-beveilig
- VSR - http://www.vsecurity.com/company/disclosure
- X.commerce - http://www.x.com/security
- Xen - http://www.xen.org/projects/security_vulnerability_process.html
- Ziggo - https://www.ziggo.nl/#klantenservice/internet/risicos-op-internet/meldpunt-beveiligingslekken
BROKERS AND SECURITY COMPANIES
- Beyond Security - http://www.beyondsecurity.com/ssd.html
- COSINC - http://www.coseinc.com/en/index.php?rt=advisory
- Exodus Intelligence - https://www.exodusintel.com/eip/
- ExploitHub - https://www.exploithub.com/request/index/developmentrequests/
- HP Zero-Day Initiative (ZDI) - http://www.zerodayinitiative.com/about/benefits/
- iDefense - https://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/vulnerability-intelligence/index.xhtml
- Insight Partners - https://gvp.isightpartners.com/program_details.gvp?page=3&title=1§ion=0
- Netragard - http://pentest.snosoft.com/netragards-eap/
- Packet Storm - http://packetstormsecurity.com/bugbounty
- Secunia - http://secunia.com/community/research/svcrp
- White Fir Design - https://www.whitefirdesign.com/about/wordpress-security-bug-bounty-program.html