Top 5 Bug Bounties Paid to Hackers by Tech Giants

Hacking always brings to fore the thought of something illegal, unlawful and harmful, and is more than often met with a frown on an internet user’s face. But there are a few good ones among the hacking community too and they get paid well do be good samaritans of the tech industry.

Shutterstock 383022976
Photo: Shutterstock

‘White hat hackers’, who’re among the good ones — help companies detect bugs in their system, preventing attackers from accessing critical information or just messing things up.

Every year, several tech companies, including Facebook, Google, Microsoft and other biggies, conduct bounty programmes which reward hackers to find a bug in their code, which helps them evade potential attack against their system.

Some companies like Microsoft conduct annual competitions for the same and others like Google have incorporated this programme to be a year-long affair — paying handsome bounties to the tune of tens of thousands of dollars to hackers.

Here we enlist the top five bounties collected by hackers from tech titans in the last few years.

Vasilis Pappas ($200,000) from Microsoft

Vasilis Pappas, a PhD student at Columbia University in 2012, won $200,000 at the Blue Hat Security contest in Las Vegas, for coming up with a programme called ‘kBouncer’ which blocks any Return-Oriented Programming (ROP) attack from running.

An ROP attack is designed to disable or evade computer security controls of a programme, allowing access to execute an attack code.


James Forshaw ($100,000) from Microsoft

James Forshaw received a sum of $100,000 from Microsoft in 2013, for unveiling a security bug in the preview version of Windows 8.1, which would allow any attacker to circumvent the inbuilt defence mechanism of the software.

The 34-year-old London-based security researcher had previously also won a bounty for finding a bug in Internet Explorer 11.

Peter Pi ($75,750) from Google Android

Google has had a bug bounty programme since 2010, but recently in 2015, they shifted to a year-long bounty programme. In their first year, Peter Pi found out 26 bugs in Google’s Android platform and was rewarded $75,750 for his efforts.

Shutterstock 517582705

Joshua Drake ($50,000) from Google Android

Joshua Drake won $50,000 in 2015 for unearthing bugs related to Google’s Android platform. The security researcher came across a number of StageFright bugs, which allow hackers to have remote access to a users’ device, enabling them to control it too.

Andrew Leonov ($40,000) from Facebook

Andrew Leonov was recently awarded a $40,000 bounty from Facebook for finding a ‘remote code execution’ flaw with its open-source photo editing software, ImageMagick.

Shutterstock 522960433
ThomasDeco /

The bug would’ve allowed harmful hackers to upload photos with malicious software, which when downloaded by a user can compromise their computer.

The bug was reported by Leonov in October 2016 and was patched within a day. He received his reward in the following weeks, which was also the biggest bug bounty ever paid by the social media giant.

Last updated on 03 February, 2022

The above article may contain affiliate links which help support Guiding Tech. However, it does not affect our editorial integrity. The content remains unbiased and authentic.