Skip to main content

Need some extra money? Become a bug bounty hunter for Twitter

Twitter Followers
bloomua/123RF
The bounty hunters of today aren’t roaming the Wild West with a rifle and a pair of handcuffs — rather, they’re denizens of the online world, hunting for bugs. And boy, are they getting paid.

In a recently released report from Twitter, the social media company revealed that over the last two years, bug bounty hunters have been paid over $300,000 in rewards for finding “threats and attacks against [Twitter’s] users and systems.” Because keeping a vast internet company up and running and safe from malicious parties is a collaborative, and sometimes for-hire, effort.

Recommended Videos

As Twitter admitted Friday, the Silicon Valley firm has another line of defense that works alongside its “dedicated account-, network-, enterprise-, corporate-, and application-security teams.” Thanks to its bug bounty program, Twitter has tapped into a vast network of security researchers who help alert the firm to any vulnerabilities they find so that the company can fix them before others can exploit them.

The program has been a critical component of Twitter’s defenses since May 2014, and the company calls it “an invaluable resource for finding and fixing security vulnerabilities ranging from the mundane to severe.”

Over the last 24 months, Twitter has received 5,171 submissions from 1,662 researchers, and the company has paid a total of $322,420 to researchers. The average payout is a not-so-shabby $835, and the highest payout to date has been an impressive $12,040. Why the odd amounts? Because it’s Twitter, and everything is in a multiple of $140 (yes, that means that its minimum payment is also $140).

In fact, so lucrative is Twitter’s bug bounty program that you could practically make a living off of reporting vulnerabilities alone. In 2015, the company says, a single researcher made over $54,000 — that either speaks to the researcher’s prowess … or the multiplicity of Twitter’s security issues.

And if you’re really looking for a big payout, try to find a remote code execution vulnerability — Twitter pays $15,000 a pop for one of those. But they’ve yet to receive such a report.

“We’re thankful to all the security researchers who have worked hard to find and report vulnerabilities in Twitter, and we look forward to continuing our good faith relationship in 2016 and beyond,” the company concludes. And of course, if you want to turn your bug bounty hunting skills into a real job, Twitter also notes that it’s hiring on its security team.

Lulu Chang
Former Digital Trends Contributor
Fascinated by the effects of technology on human interaction, Lulu believes that if her parents can use your new app…
Private data of some Facebook and Twitter users leaked through malicious apps
mark zuckerberg speaking in front of giant digital lock

On Monday, November 25, Facebook and Twitter said private data of "hundreds of their users" was compromised through malicious third-party Android apps. The social media companies were tipped off by a team of security researchers who discovered that a software developer kit called One Audience allowed developers to access personal information they weren’t supposed to.

In addition to data such as email addresses and usernames, the vulnerability also exposed users’ recent tweets if they logged into those bad apps with their Twitter account. While the report doesn’t share specifics on the Android apps, CNBC says popular photo-editing apps like Giant Square and Photofy may be among them -- the former of which has already been taken down from the Google Play Store.

Read more
Google’s Android bug bounty program announces a $1 million prize
pixel 4 xl screen vs pixel 3 xl screen

Google has been handing out cash rewards to Android bug hunters since 2015 in an effort to keep the mobile operating system safe and secure and running smoothly.

This week the Mountain View, California-based company announced it is increasing its top payout to a whopping $1 million, with a potential for a 50% bonus that pushes it to $1.5 million.

Read more
I paid Meta to ‘verify’ me — here’s what actually happened
An Instagram profile on an iPhone.

In the fall of 2023 I decided to do a little experiment in the height of the “blue check” hysteria. Twitter had shifted from verifying accounts based (more or less) on merit or importance and instead would let users pay for a blue checkmark. That obviously went (and still goes) badly. Meanwhile, Meta opened its own verification service earlier in the year, called Meta Verified.

Mostly aimed at “creators,” Meta Verified costs $15 a month and helps you “establish your account authenticity and help[s] your community know it’s the real us with a verified badge." It also gives you “proactive account protection” to help fight impersonation by (in part) requiring you to use two-factor authentication. You’ll also get direct account support “from a real person,” and exclusive features like stickers and stars.

Read more