Recently we spoke about zero-day vulnerabilities. It appeared that they could cause a lot of harm in case if a functional exploit exists. So, not only we understand that, but also software developers.

Searching for vulnerabilities in a well-developed software is a time-consuming process. Well-shaped software development lifecycle eliminates common vulnerabilities. Though why do people do this and spend their free time digging through the code? Some likes hunting bugs and they just enjoy doing this. Think about it like fishing. Others try to monetize vulnerabilities and sell to attackers or directly use them to steal data and eventually earn money. You cannot do anything about that, but what you can do is to give people a legitimate way of making money based on their discoveries. This is called a bug-bounty.

The idea is that a researcher can "sell" vulnerability to a software developer so they can eliminate it, rather than using a vulnerability against them or selling it in a dark-web. Usually, the more severe a vulnerability is, the more money you will get. Obviously, there are rating criteria, and they are very strict. One of them is that it needs to be new! As simple as that. Another important one is that it should be exploitable, meaning there should be an existing way of hacking inside using a discovered vulnerability.

How much would you get? Highly depends on the severity, but usually, several thousand bucks, and it can go up to 100k.

Who has bug bounty programs? Google, Apple, Amazon, Yandex and so on. Big mature software developers.

Who pays the most? That is a difficult question, but usually the harder to find a vulnerability in a platform, the more you will get from a platform owner. You may try searching for anything in Apple services, and if you are successful, do nothing for the next couple of years.

As a general rule, use those services that pay the most for bugs in their software. They tend to be m