Google

Google's program is expansive, with detailed payout structures and specific instructions for classifying different types of bug. Most of the relevant information can be found on the rewards section of their Application Security page, but Google also curates a (small) set of pentesting tutorials, with specific attention paid to finding the types of bugs and submitting the kinds of reports about them that Google wants to receive.

The articles on Bughunter University and other Google resources have different levels of applicability – some of it is just Google's preferences, requirements, and so on – but even the more idiosyncratic sections contain best practices and wisdom that can applied to other programs and engagements. Other companies might not agree completely with their common types of non-qualifying report, but there'll still be substantial overlap, making it a useful guide regardless of the vendor.

In addition to the materials on Bughunter University, Google is responsible for creating and maintaining a lot of great instructional applications. We'll be using one, Google Gruyere (https://google-gruyere.appspot.com/), as part of our chapter on XSS and you can find other great resources from Google in the other tools section at the end of the book.