Open Bug Bounty selected among the
Top 5 Bug Bounty programs to watch
by The Hacker News

All Open Bug Bounty emails are sent only from openbugbounty.org domain being digitally signed. All others are fake. Learn more.
For security researchers
Report a Vulnerability
Submit, help fixing, get kudos.
For website owners
Start a Bug Bounty
Run your bounty program for free.
1,301,071 coordinated disclosures
930,718 fixed vulnerabilities
1,624 bug bounty programs, 3,229 websites
29,192 researchers, 1,451 honor badges

Hackberry Bug Bounty Program

Hackberry runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of Hackberry

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between Hackberry and researchers.

Bug bounty program allow private and public submissions.

Bug Bounty Scope

The following websites are within the scope of the program:

*.hackberry.xyz

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

When you are testing Hackberry and its assets, we trust you to not disclose any finding before we resolve the issue.

All reports must be in English.

Testing Requirements:

Stress testing, Denial of Service are prohibited and can get your IP blocked.

Possible Awards:


Get featured in our Hall of Fame.

Other Submissions Handling

Website owner want to receive information about other vulnerabilities

Notifications:

Mail your report to admin [at] hackberry [dot] xyz

Intrusive vulnerabilities must be encrypted with the provided public key before reporting.

PGP Key:

Show key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Keybase Go 5.6.1 (linux)
Comment: https://keybase.io/0xcrypto

xsFNBGA6YUUBEADN3x+2x5GVshv843vIHghvpcBZZcqcReznN1iUfM2NL7wy4c8A
nAmwI8U3sqq7b/21riGL83xYeaVUa30qn8PHy1L7GzacijjH7MhQ4FUK32QKNDiJ
gI7cjo5KMTab/Xf3AKE+kksN7TG9zHCme8n+Muq3VJfRvIHtTcYTu68T45K0ooE6
sjvRTyyrwcQn8p1z1McTyO91yU8e+iXmMin3oOTI0oFOZQ3HB982WpPgG5+Uc2m5
mwTvPnbGSL1bY0X9i9myLlNiQ3XYGvNIEkf8URDCf+fdcV/jfNt8SRRn+j4iakwh
NhWbpDaRYyNmslR2fWxOi3whVdyu7pGKiJEhVu2Xjp1iTSbb31zCbSW3Mll2SeVB
c0OYZ8S8kmVZNVcEyh0pjG9soPnjLlRpZfP1YEx/cCU4IoG7Q1CtbZ7HAtzbgZ37
ykAOsTGrvq9+FmKJpmW9ZHt7BnXLuqoedcwfNcGijhUZ03VMuQofYmDlY43jKEGs
JUFLJ5abHo+CdGjNKQS4BOdT6bpTJ1g0ISjFmkBgCvGS3RiCbcRQ31VDqFV49aHb
YWmhiEeou+Rr9KKBcDdkuyzLXTvQMbZGq8fQRYT6nlwoZfuLKAlQkXn+k0pRIHOn
Kry0zlibsMjat4+uWENPYzvHFTP5ABrGNp1aE+tYIu9KK+Q6c6TmR427JQARAQAB
zShWaWtyYW50IFNpbmdoIENoYXVoYW4gPHZpQGhhY2tiZXJyeS54eXo+wsF4BBMB
CAAsBQJgOmFFCRD+Tvh95gOiuwIbAwUJHhM4AAIZAQQLBwkDBRUICgIDBBYAAQIA
AKqDEACJdfYr4u5R8ppnUKYtGAd9yxUfJYBtygw3GxJSjmgJRh8kwf/cvEPB5GRo
YOyHOOcUUem2R9lwaYSJMNfXgVR6Edbs17gOY+0V5XHwSeRpW7THn5/v04OycvP1
T0GwCf8DOPBxW3tykZ+TbppCOILqP67JTWg86Zmx7MdSWuwfLrLFKUHpKz4OOtK2
g18/RYVNehgiugEKDQWGqt4lPbD55kckfwyw0yXxRz52k+40+XfA9O/G6mm8+zAT
RxmIzto9NK7+cxkPz5oNm//J/Ed5tV13zkosTqYXBtTXsX/+UcNCu6ihxMNi81aJ
5Bl/OI2+Ra2BddyCuaXPrqJUZ9tlKC6ZB71jdDMVRRGmBTXmgSQBiW4ITGjXubVM
O8CSYVDFHWqRC/N8wCZcm0JSfxEpU8R1L/9Xrx6H1iaIr/Bp14Ped71UJvnUmCXS
6wB7V6UxKVJ2W3Sk4oh4Guec+mT8eK0mb88IP+59XCQF2gixdCPtWJLaj9dq41Hk
hm73tqhdVDcZu3JEMu9C4OgmXs0POHCEzaDSL9U9b3eriUH5lkoFpo/6feRYCQ1p
MnfHV+QXHasO1wyWTOVdV/I1XIRcDuDqOVAqvXc9v/dAOel/thaVA59qTdFSeIgq
psOk1FX0umZ/QeRVjog5AxxxZUJBHSMYYNWSwxswEybx1dtdf87BTQRgOmFFARAA
2g5hFx02Zg6sHC/NkfYefJ+PT4xU7pdwQ5I9yJ0pzdnF+mvyLdK51ouiBUUy4DLJ
brDrUeLFttZUv004e/KQWkFTVBskg+G0ajv7FDBT2mXRTMxiDO8a4pqk9en3hMWj
MZ91qu4Itt5yjdv3tzR0Yk/LvPR0advDw6DlXqnSBCw0NBybKy2psV7MVRxAgMoO
JkdSOGIoLI1A05xGOQHHT8RImROoHc4Ru61vTGY9A7F3bPQe5g/jNPXicCFc6OfV
v9m0fJwYqRtn80PMaSu0LEXzVZU3SH9EkfUrbwgH1GC82ItBXQpcORHJD/1SrPh6
yev4gH3qI0pqQtbwNAw8oxtXmyUZ52Gne2hE47e3LhoJZwkYg4oCZ8Az4DGHhH29
O483p1c8ckF2C88xtcwfVvTPPDyCLvbd47/JR+C2eQMr5NClfTl4UzZJHshp1EQO
Whd7e5OO99aM/YzcWATG0JMKs5joXGHwX1+FKfUZR3VDzYmJUxyZn/PoQMiWzZWq
hk1YfkYFtN8+43nYqyLLFeErTY0RwU8mJKuXSL9T+Yq0OWQa/BvYiW/CW2AwO3B7
BHJKt3rLf9MfppzVyUQEwNX3v8mkK7aPjZEulF0lyvp9oIjleqBdj5kTFqiJjBln
0ysNJ4lhfJyKm+1f/OndOOEUZfx4e7I9oybDAY783ysAEQEAAcLBdQQYAQgAKQUC
YDphRQkQ/k74feYDorsCGwwFCR4TOAAECwcJAwUVCAoCAwQWAAECAACEXxAAJ1sq
929Kx3WFxXU8Gz5kxaQUUygG8IzK65Eptu4Amsdz6rtxOAz9EfX+dqntkINyVrGs
zupi58Ve53hu3tUUw3Up1M2fT85S6JklAMczVQFe/vzYCEqh7iHAV8IzZgj1JFy+
Ym4NR+Xh5jMfsYLIFmRMdV+4kjIUfugPVpwOAau5WpivSp/4R56G6eaMT1m2JwlS
ZYtzHQ0egai5P6vX25KCNZ5C5IsrW0rTgpnNBhngGJab61+rImn8G+IpI6pWy/za
yxdT4DRyYJ33ya1sBZ3sqdNeHnrZrwFk/KbRvZK6llKP+6NFo/L59js35eBao6fp
LeHoPZxia1vuJxWzslm/rGa5RoIJbZ6wvvkL+taR2gz3rdB1zayRZOQKpdv8MuuL
IF0zmf8Yg84lCokAc14XAHS/4dJ8GVEH53n0PJaXIRvaW69dyva0WMn3mVD9hk8h
gqRh9lg6hI3GzT8T0k6rdAN4H/1ZBg/Iju9k1e8WJ8+d/a5TkHAUUDkMk0dEeYNj
G22bjLEjOTmpbqo8XoWIqYwH5bU9RHYVgQvT2d+qclYOrtAzVD0DCHLNAuqNB2bk
JPiHY3L9Vmz4YzWNldnHJu23Zx9Okfhc5sk5gQwqF9+qvijii/JQ9lxoPWRGIjVF
h90983sDqzI5umFcDZwM/wPx6FnBCKBkLsIk4e4=
=Yseu
-----END PGP PUBLIC KEY BLOCK-----

General Requirements:

Stress testing, Denial of Service are prohibited and can get your IP blocked.

Testing Requirements:

## Scope
We have the following assets in scope:

1. GitHub Organizations https://github.com/hackberry-xyz/ and https://github.com/bb-research/
2. *.hackberry.xyz

Some projects are in development in private repositories. We do not provide direct access to them but any leaks would be in scope.

## Out of Scope
The following are out of scope except information leaks in the following assets:
1. Testing Third Party Services ie. GitHub, Zoho, Discord, Netlify, PyPI, Python, or any third party service (Most of them run their own bug bounty program. W e might accept misconfiguration or information leaks).
2. Third Party libraries (any library used in any project. you can report the vulnerability and we will try our best to get it fixed in the library itself. If the vulnerability in third party gets fixed, we might provide our awards as well. But they are still owned by someone else and applying a policy on them is not in our hands.)
3. Non Security issues (Non security issues should be reported as a GitHub issue in respective repository.)
4. Dev/Develop or any other development branches (If you find any issue including any security issue, report them on GitHub issues in respective repository. Note that information leaks in these branches must be reported using this vulnerability reporting channel only.)

Possible Awards:

Get featured in our Hall of Fame.

Special Notes:

Before reporting, please consider:

1. Security risk and impact,
2. Ownership of asset.

We actively monitor our traffic for malicious activities and security of our users.

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

 
Response Time  Information How quickly researchers get responses to their submissions.
Remediation Time  Information How quickly reported submissions are fixed.
Cooperation and Respect  Information How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched

 18.08.2022 camaragibe.pe.gov.br
 18.08.2022 instapanel.me
 18.08.2022 iibit.edu.au
 18.08.2022 onliveserver.com
 18.08.2022 eg.ru
 18.08.2022 carscoops.com
 18.08.2022 caums.gov.br
 18.08.2022 cedarhurst.gov
 18.08.2022 philmech.gov.ph
 18.08.2022 celebritynetworth.com

  Latest Blog Posts

08.07.2022 by 4websecurity
CVE 2022-29455 is still affecting millions of Wordpress sites
08.07.2022 by kh4sh3i_
Zabbix - SAML SSO Authentication Bypass
08.07.2022 by FR13ND0x7F
The Time Machine — Weaponizing WaybackUrls for Recon, BugBounties , OSINT, Sensitive Endpoints and what not
15.02.2022 by sepkatpro
Ultimate XSS Polyglot
11.11.2021 by mistry4592
The Most used Chrome Extensions are Used For Penetration Testing.

  Recent Recommendations

@CERT_rlp     15 August, 2022
    Twitter CERT_rlp:
The team of CERT-rlp would like to thank ShiratoriYoshi for a responsible and coordinated disclosure of vulnerabilities
@luiztools     5 August, 2022
    Twitter luiztools:
Confirmo que Jonathan Fonseca (bypikeno) encontrou uma vulnerabilidade XSS em meu site, a qual está sendo providenciada a correção neste momento. Agradeço pelo aviso e disposição em ajudar.
@ThomasDBending     31 July, 2022
    Twitter ThomasDBending:
Thank you for finding an XSS vulnerability in my website.
@ThomasDBending     31 July, 2022
    Twitter ThomasDBending:
Thank you for finding an XSS vulnerability in my website.
@MrMoney84315336     26 July, 2022
    Twitter MrMoney84315336:
Thank you to @Legacy_Defender for reporting and providing prompt and courteous details on our website, leading to a quick and pain free resolution. Keep up the good work.