Bug bounty payout benchmarks (2025–2026)
Selected program totals and per-finding payout ranges
PAID TO BREAK IT — Issue #1: Five Disclosed Payouts Dissected
Five real disclosed bug-bounty payouts from 2025–2026 — a $24,000 Meta OAuth chain, a critical SSRF in HackerOne's own platform, two IDOR/BOLA findings (one paying $15,000), and a WAF documentation flaw — each broken down by vuln class, program, and the skill ladder a beginner needs to get there.
PAID TO BREAK IT — ISSUE #1
Five disclosed bug-bounty payouts worth studying this week: what broke, who found it, what it paid, and the exact skill progression a beginner needs to get there.
| # | Vuln class | Platform | Program | Payout |
|---|---|---|---|---|
| 1 | OAuth / session theft chain | HackerOne | Meta (Facebook/Instagram) | $24,000 |
| 2 | SSRF via analytics webhook | HackerOne | HackerOne (self) | Critical / disclosed |
| 3 | IDOR in OOO calendar API | HackerOne | Nextcloud | Disclosed |
| 4 | IDOR in user profile API | Private program | Anonymous | $15,000 |
| 5 | WAF config logic flaw | Google VRP | Google Cloud Armor | $500 |
Note: The original planned time window had limited fresh disclosures at press time. This inaugural issue draws on disclosed reports from late 2025 and early 2026 to demonstrate the format. Starting with Issue #2, coverage will tighten to a rolling 7-day window.
#1 — datr cookie theft → $24,000 (Meta / HackerOne)
Vuln class: OAuth token exfiltration via Graph API batch request
Program: Meta Bug Bounty (HackerOne)
Payout: $24,000
Researcher: Youssef Sammouda (@samm0uda)
Disclosed: January 2025 1
Sammouda extracted Meta's long-lived device-identifier cookie (
datr) through crafted OAuth/Graph API batch requests. The datr cookie is what Meta uses to recognize a device as "trusted" — once an attacker holds it, they can trigger trusted-device account recovery and bypass secondary verification, including by supplying AI-generated identity documents. The fix required tightening which API endpoints could surface device identifiers in batch responses.What this is not: A cookie-stealing XSS. The exfiltration happened entirely through the API — no user click required.
Skill ladder to get here
| Level | What you need | Resources |
|---|---|---|
| 0 → Beginner | Understand OAuth 2.0 flows (authorization code, implicit) | PortSwigger OAuth labs |
| 1 → Intermediate | Learn Meta's Graph API batch request format; read old Graph API write-ups | Meta developer docs |
| 2 → Practitioner | Understand "trusted device" recovery flows; map which endpoints touch device identifiers | Sammouda's full writeup at ysamm.com |
| 3 → Advanced | Chain access across account recovery + AI-generated bypass vectors | Practice on bug-bounty-style sandboxes |
The core transferable skill here is API surface mapping: finding endpoints that indirectly expose high-value tokens as a side-effect of their normal function, not just the endpoints that are supposed to serve tokens.
#2 — SSRF via analytics reports (HackerOne's own program)
Vuln class: Server-Side Request Forgery (SSRF)
Program: HackerOne's public bug bounty program
Report: HackerOne #2262382
Disclosed: 2025 2
An attacker-controlled URL parameter inside the analytics-report generation feature was not sanitized before being used in a server-side HTTP request. That let a researcher make HackerOne's own infrastructure call internal endpoints — including cloud metadata services — from within the application's network boundary.
The meta-irony of a bug bounty platform having a critical SSRF in its own product is noted in the community, but it's also exactly why the disclosed-programs model works: internal developers miss things, external eyes catch them, everyone benefits.
What SSRF actually does in 2025: Cloud-hosted apps run inside VPCs with access to instance metadata (AWS
169.254.169.254, GCP metadata server, etc.). A server-side fetch to these addresses returns temporary credentials, internal IPs, and configuration data. An SSRF that reaches metadata is typically rated Critical because it's a near-direct path to credential theft.Skill ladder to get here
| Level | What you need |
|---|---|
| 0 → Beginner | Understand HTTP request flow: what a server-side fetch looks like vs client-side |
| 1 → Intermediate | Learn cloud metadata endpoint structure (AWS IMDSv1 vs v2, GCP); practice SSRF labs on PortSwigger |
| 2 → Practitioner | Identify where apps make outbound requests: webhooks, PDF renderers, URL preview features, analytics exporters |
| 3 → Advanced | Bypass SSRF filters: IP encoding, DNS rebinding, open-redirect chains |
The hunting pattern: look for any feature where a URL you control is consumed server-side. Export functions, webhook configurators, and link-preview endpoints are disproportionately productive.
Loading content card…
Average payout by vuln class, 2025 data — SSRF and BOLA/IDOR remain among the most consistent earners. 3
#3 — BOLA in Nextcloud out-of-office API
Vuln class: Broken Object Level Authorization (BOLA) — also called IDOR
Program: Nextcloud (HackerOne)
Report: HackerOne #3382343
Disclosed: December 5, 2025
Security advisory: GHSA-qcw2-p26m-9gc5 4
The Out-of-Office endpoints
/ocs/v2.php/apps/dav/api/v1/outOfOffice/{userId} and .../outOfOffice/{userId}/now checked authentication but not authorization. An authenticated user could read another user's private OOO settings — including vacation dates, travel status, and personal message — by substituting any valid userId in the path. In the researcher's proof of concept, they read Alice's OOO data (vacation dates December 20, 2025 – January 5, 2026, travel destination) from Bob's account with no privileged role.This is the canonical BOLA pattern: the API validates who you are, but not whether you're allowed to access that specific resource.
Skill ladder to get here
| Level | What you need |
|---|---|
| 0 → Beginner | Understand the difference between authentication (who are you) and authorization (what are you allowed) |
| 1 → Intermediate | Learn OWASP API Top 10 — API1 Broken Object Level Authorization; practice on PortSwigger API labs |
| 2 → Practitioner | Intercept API calls in Burp Suite; identify object identifiers in URL paths and request bodies; test substitution |
| 3 → Advanced | Enumerate IDs systematically; test across API versions; find endpoints where sensitive data (PII, business logic) sits behind BOLA |
Nextcloud is open source — you can run a local instance and test against the exact same codebase before hunting live. That's an underused beginner shortcut: read the source, then hunt the deployed version.
Loading content card…
#4 — $15,000 IDOR in user profile API
Vuln class: IDOR (Insecure Direct Object Reference)
Program: Anonymous private program (HackerOne)
Payout: $15,000
Researcher: Krishna Kumar (@xalgord)
Disclosed: March 2026 5
The target program had recently launched a new profile management system — which is precisely where Kumar looked. A newly shipped feature frequently means newly shipped authorization gaps. The API endpoint controlling user profile data accepted a
userId parameter that was not enforced against the authenticated session; any authenticated user could view, modify, or delete any other user's private profile data by changing the ID.Critical severity under the program's CVSS 3.1 rubric, 12-day disclosure cycle from report to payout. The program's bounty range ran $500 (low) to $25,000 (critical); the $15,000 landing reflects the data sensitivity and account-level impact.
What made this findable: Kumar's note that he reads program scope documents three times before starting — "I've missed easy wins by skimming." The scope explicitly called out a recently launched profile system as in-scope. New code is high-yield precisely because it hasn't aged into extensive security review.
What a beginner should internalize here
The tools are simple — Burp Suite's Repeater tab plus a second test account. The judgment is harder: identifying which parameter controls which object, then systematically testing whether server-side authorization validates ownership. Most programs pay $500–$2,500 for low-impact IDOR; the $15,000 range requires finding one that touches account integrity, payment data, or PII at meaningful scale.
#5 — Google Cloud WAF documentation bypass: $500
Vuln class: Logic flaw in WAF configuration template / documentation error
Program: Google VRP
Payout: $500
Researcher: Joshua Rogers
Disclosed: December 2025 6
Rogers found that Google's own documentation for Cloud Armor (Google's WAF) instructed users to write host-header rules in a form that was trivially bypassable. The example configuration:
if (request.headers['host'].lower().contains('test.example.com')) { allow all; }Any attacker setting their hostname to
test.example.com.attacker.com would pass the contains() check and bypass all WAF rules. The correct pattern — endsWith('.example.com') — was absent from the published docs. Google fixed the documentation and paid $500.This falls outside the standard "find a bug in production code" model. The vulnerability was in the authoritative instructions companies use to configure their security tooling — meaning the documentation bug created misconfigured WAFs at scale across all customers following the guide.
Note on payout expectations: $500 is a modest number for a finding with broad configuration impact. Rogers himself published a frank account of the payout bureaucracy involved — a useful read for anyone navigating Google's payment process for the first time. 6
Skill ladder to get here
| Level | What you need |
|---|---|
| 0 → Beginner | Learn WAF/firewall logic: how rules are evaluated, string matching vs regex |
| 1 → Intermediate | Read vendor documentation critically — test whether the examples actually work as described |
| 2 → Practitioner | Understand hostname parsing edge cases; contains() vs startsWith() vs endsWith() vs regex |
| 3 → Advanced | Systematically audit documentation for patterns that produce insecure defaults when followed literally |
Context: what the programs paid in aggregate
Google paid out $17.1 million across all its VRPs in 2025 — a 40% increase over 2024's $12 million. 7 The top individual Chrome researcher earned $811,000 in the same year. Full-chain Chrome sandbox escapes paid $250,000 per finding.
HackerOne's Live Hacking Events paid out $4.3 million across their 2025 event calendar. 8
On the Web3 side, Immunefi has paid out over $100 million in total since its launch. The median confirmed payout per report sits around $2,000; the average is skewed by occasional six-figure critical findings to approximately $52,800. 9
Loading stats card…
The variance between a $500 documentation bug and a $250,000 Chrome exploit is what makes the skill ladder concept concrete: the vuln class alone does not set your earnings — scope, platform, impact chain, and severity multipliers do. A well-documented, high-impact IDOR in a financial platform pays dramatically more than the same class in a low-scope VDP.
References
- 1Eight insane Meta write-ups — Disclosed. Jan 19, 2026
- 2HackerOne Report #2262382 — Server Side Request Forgery via Analytics Reports
- 3Smart Contract Bug Bounties Statistics 2026 — SQ Magazine
- 4HackerOne Report #3382343 — BOLA/IDOR in Out-of-Office API
- 5Finding an IDOR in User Profile API: A $15,000 Journey to Critical — InfoSec Write-ups
- 6My 2025 Bug Bounty Stories — joshua.hu
- 7Google Paid Out $17 Million in Bug Bounty Rewards in 2025 — SecurityWeek
- 8Disclosed. February 9th, 2026 — getdisclosed.com
- 9Best Web3 Bug Bounties in 2026 — sherlock.xyz
Add more perspectives or context around this Post.