The Biggest Bounties Uber, Facebook, Microsoft and More Have Paid Hackers From Uber to GM, companies are willing to pay hackers big bucks for finding glitches in their systems.

By Rose Leadem

Opinions expressed by Entrepreneur contributors are their own.

welcomia | Getty Images

Hacking gets a bad rap, mostly because people tend to focus on those out to do harm. But there are many so-called "white hat" hackers who try to uncover vulnerabilities. Many of today’s biggest tech and media firms have launched “bug bounty” programs offering to pay these hackers -- or anyone -- big bucks to report vulnerabilities in their systems.

With bug bounties becoming so mainstream, companies are emerging dedicated to finding these flaws. Startup HackerOne checks for bugs in companies’ operations, and in February, it announced a $40 million series C funding round.

Related: 7 Cybersecurity Layers Every Entrepreneur Needs to Understand

Companies outside of tech have also launched their own bug bounty programs. In 2016, the U.S. Army launched its program, “Hack the Army,” and companies such as Starbucks and GM have also made it a part of their operations.

"Bug bounty are now an essential part of the software life cycle," HackerOne’s CEO Marten Mickos told Fortune.

In January, Facebook awarded its biggest bounty yet -- $40,000 to a security researcher who discovered a glitch in its photo editing software, ImageMagick. In October 2016, the company posted to Facebook that it had paid out more than $5 million in bug bounties over the past five years.

Check out the biggest bounties that hackers have collected from some of the leading names in tech.

Adam Berry/Stringer | Getty Images


In August 2016, security researcher Anand Prakash found a glitch in Uber’s code that allowed users unlimited free rides. After reporting it through Uber’s bug bounty program, which awards hackers up to $10,000 for discovering system vulnerabilities, the company gave Prakash permission to test for the bug in the U.S. and India. As a result, he found that the bug impacted both markets.

When inserting their payment information, the bug let users submit an invalid method of payment, such as “abc” or “xyc” and avoid being billed for a ride.

Uber has since fixed the issue and paid Prakash $5,000 for his discovery.

Sean Gallup | Getty Images


Facebook awarded Russian security researcher Andrew Leonov $40,000 for finding a flaw in its photo editing software ImageMagick. The bug, which was originally discovered last year by Facebook’s security team, was temporarily patched up, but Leonov found a flaw in their handywork, making Facebook’s servers vulnerable to “remote code execution.”

While on the web, Leonov was presented with a “share on Facebook” pop-up box and he noticed that the page’s image failed to load properly. After some digging, he found that “Facebook had used a vulnerable ImageMagick library in its image converter,” reports Fortune.

Leonov then found a way to break through Facebook’s firewall with his own code, and afterwards reported the bug to the company. He was awarded the biggest bounty Facebook has ever given out, which he received through bug bounty startup Bugcrowd.

In 2014, Facebook paid Brazilian security researcher Reginaldo Silva $33,500 for reporting a major vulnerability that would have risked users’ login credentials. The bug was related to code used for the authentication system OpenID, which lets people use the same log-in credentials on various platforms. The glitch would have allowed hackers to access files and open network connections on Facebook’s servers. Today, Silva works as an engineer at Facebook.


Bug hunters come in all shapes, sizes -- and ages. In March 2016, Facebook awarded a 10-year-old Finnish boy $10,000 for finding a weakness in its photo sharing app Instagram. The boy, identified only by his first name, “Jani,” is the youngest person to ever receive a bounty from the social media giant -- in fact, he’s too young to even have his own Facebook or Instagram accounts.

Jani, who learned to code from YouTube videos, discovered a way to delete user comments from Instagram accounts. “I wanted to see if Instagram’s comment field could stand malicious code. Turns out it couldn’t,” he said.



In 2016, a security researcher who goes by “avicoder” uncovered the now-defunct Vine’s entire source code -- the confidential backbone of an app or program. Luckily, avicoder reported his finding to Twitter, the issue was immediately fixed and he or she was paid $10,080.

Related: Microsoft Offers Up to $100,000 to People Who Identify Security Bugs

David Ramos/Stringer | Getty Images


In 2013, Microsoft paid James Forshaw, a security vulnerability researcher for Context Information Security, $100,000 for finding a bug in its preview version of the Windows 8.1 operating system. Forshaw discovered a “new mitigation bypass” technique that helped him get around the software’s defense walls.

This wasn’t the first time Microsoft paid someone wads of cash for discovering a flaw in its systems. Over the past few years the company has run contests offering cash prizes to people who find bugs and offer solutions to fix them. In 2012, Vasilis Pappas, a PhD student at Columbia University at the time, won $200,000 in the company’s Blue Hat security contest. Pappas came up with “kBouncer,” which blocks anything that looks like an ROP attack from running, reports Business Insider.

Adam Berry/Stringer | Getty Images


Google has had a bug bounty program since 2010. In fact, up until 2015, the company hosted an annual Pwnium contest offering cash prizes to people who find vulnerabilities in its products. Today, like many other tech companies, Google has switched to a year-long rewards program instead. And Stephan Somogyi, product manager of security and privacy at Google, said the company paid out more than $2 million to more than 300 security researchers for finding bugs.

In 2015, security researcher Peter Pi was recognized as the top researcher for Android vulnerabilities, discovering more than 26 bugs and being rewarded $75,750 for his efforts.

The same year, Zimperium security researcher Joshua Drake was rewarded more than $50,000 for uncovering a number of Stagefright bugs, which are Android bugs that allow hackers to control users’ devices remotely.

Wavy Line
Rose Leadem is a freelance writer for 

Editor's Pick

A Leader's Most Powerful Tool Is Executive Capital. Here's What It Is — and How to Earn It.
One Man's Casual Side Hustle Became an International Phenomenon — And It's on Track to See $15 Million in Revenue This Year
3 Reasons to Keep Posting on LinkedIn, Even If Nobody Is Engaging With You
Why a Strong Chief Financial Officer Is Crucial for Your Franchise — and What to Look for When Hiring One

Related Topics

Business News

The Virgin Islands Want to Serve Elon Musk a Subpoena, But They Can't Find Him

Government officials would like to talk to Tesla's owner as part of an investigation into the Jeffrey Epstein case.

Growing a Business

My Startup Scored a Multimillion-Dollar Contract With a Fortune 100 Client in Just 3 Years. Here's What We Learned.

There's no perfect litmus test to gauge if you're ready to go after big business or not — but if you don't take the risk, you'll never realize the reward.


5 Questions to Ask a PR Pro Before Hiring Them

You probably haven't considered asking these questions, but they're a great way to find the right PR firm for your business.

Growing a Business

The Inevitable Challenges You'll Face as Your Business Grows — and How to Handle Them

There's going to be some discomfort as your business expands, but it doesn't have to stop you from achieving massive success.


This Location-Based Marketing Technique Is the Key to Boosting Retail Sales

Let's take an in-depth look at geofencing marketing and how it's helping retail locations drive foot traffic and boost sales.