Our Security Community helped fix 32987 vulnerabilities

Report Email Alerts Open Bug Bounty: 96505 coordinated disclosures
Full Disclosure: 32113 vulnerabilities
Total Vulnerabilities Fixed: 32988
107129 vulnerable websites, 12147 VIP websites
2459 security researchers, 3429 notification subscribers

History of the Project

Initially known as XSSPosed, standing for 'XSS exposed', the OpenBugBounty project was created by security enthusiasts and professionals in June 2014. It was a non-profit open archive where any security researcher could report a Cross-Site Scripting (XSS) vulnerability on any website, and get a proper credit for it.

As many private Bug Bounty programs regularly fail these days, and the situation will unlikely improve in the near future, we decided that we need to create an open, transparent and unbiased platform to connect security researchers wishing to help and website administrators. This is how we created the concept of Open Bug Bounty Coordinated Vulnerability Disclosure Program that is currently open to everybody worldwide.

We have no financial or commercial interest in the project. Moreover, we pay hosting expenses and continuous web development from our pocket, and spend our nights verifying new submissions.

Open Bug Bounty: Public and Private

Security researcher can chose how to report the vulnerabilities via the Open Bug Bounty:

  • Public submission
    Once verified by our team, we send notifications, without disclosing any technical details of the vulnerability, to:

    • Subscribers (learn more)
    • Generic security emails
    • Emails found on the website (if any)
    • Emails provided by the researcher (if any)

    A web page dedicated to the vulnerability will be created, however no technical details will be displayed on it. At this stage, website owner, administrator or security company in charge of the website security shall contact the researcher directly and proceed to coordinated disclosure. Once patched, the vulnerability page may be deleted by researcher.

  • Private submission
    After verification by our team, the vulnerability will be available on a secret hyperlink known only to the researcher. The vulnerability is not used in any statistics or lists on the website. This is done to report vulnerabilities on websites running official bug bounty program, but refusing to reward researcher for hilarious reasons, like being unable to reproduce the vulnerability, or saying that the submission is a duplicate. Our independent and unbiased verification gives a clear prof that the vulnerability existed at a precise timestamp.

We always recommend website owners to thank responsible security researchers in a manner proportional to their time and efforts. However, our role is strictly limited to independent vulnerability verification - we never act as intermediary between the researchers and website owners.

Coordinated Disclosure and Notifications

We encourage all our security researchers to use the Open Bug Bounty program to report security vulnerabilities on websites without putting the website and its users at risk. However, its only the researcher who decides if he, or she, will use a coordinated or Full Disclosure.

In any case, we send security notifications to website owners by all available communication channels (including emails and social networks) to make sure that they are aware of the vulnerability and can patch it quickly.

Website owners and administrators can also subscribe for free instant alerts and get customized notifications about any vulnerabilities detected on their websites.

To avoid spam, we allow reporting only one vulnerability per domain per 24 hours. Every recipient of notifications sent can definitely unsubscribe from any further notifications.

Non-Intrusive Testing

We accept only the Cross-Site Scripting (XSS) and CSRF vulnerabilities that are the most common today.

The process of testing for XSS and CSRF is harmless and cannot damage the website, database, server or related infrastructure. We do not accept vulnerabilities that can, or are intended to, harm a website.

Privacy & Security

To avoid storing any user-related data, we use external authentication via Twitter for everyone on the website. Connection to the website is HTTPS only.

Researchers' Privileges

Within the scope of the Open Bug Bounty, solely security researchers can delete the vulnerabilities until public disclosure. However, they have absolutely no obligation to do so, and are free to act, or not to act, at their sole discretion. We never remove any information about vulnerabilities from the website for political or business reasons.

However, if researcher's behavior borders with extortion (e.g. demanding cash to delete a submission) - such submissions will be deleted - we have tolerance zero for blackmailing.

All our web server logs go directly to /dev/null, so don't even ask for them - we simply don't have them.

Latest VIP Submissions

chartsinfrance.net
Reported by Blinils Twitter: @BIinils
Approved XSS vulnerabilities: 73
Approved XSS vulnerabilities on VIP websites: 11
on 21.01.2017
t411.lv
Reported by Blinils Twitter: @BIinils
Approved XSS vulnerabilities: 73
Approved XSS vulnerabilities on VIP websites: 11
on 21.01.2017
nhm.ac.uk
Reported by SonnySpooks Twitter: @SonnySpooks
Recommendations received: 1
Approved XSS vulnerabilities: 1169
Approved XSS vulnerabilities on VIP websites: 54
on 21.01.2017
adage.com
Reported by chris_t_green Approved XSS vulnerabilities: 12
Approved XSS vulnerabilities on VIP websites: 1
on 21.01.2017
mentalfloss.com
Reported by Oc3f Recommendations received: 3
Approved XSS vulnerabilities: 1200
Approved XSS vulnerabilities on VIP websites: 254
on 20.01.2017
hometalk.com
Reported by Oc3f Recommendations received: 3
Approved XSS vulnerabilities: 1200
Approved XSS vulnerabilities on VIP websites: 254
on 20.01.2017
zoon.ru
Reported by k0t Twitter: @s3r_epixin
Recommendations received: 4
Approved XSS vulnerabilities: 441
Approved XSS vulnerabilities on VIP websites: 203
on 20.01.2017
ring.com
Reported by k0t Twitter: @s3r_epixin
Recommendations received: 4
Approved XSS vulnerabilities: 441
Approved XSS vulnerabilities on VIP websites: 203
on 20.01.2017
kik.com
Reported by tyler Twitter: @mindtyler
Approved XSS vulnerabilities: 93
Approved XSS vulnerabilities on VIP websites: 20
on 20.01.2017
photobucket.com
Reported by tyler Twitter: @mindtyler
Approved XSS vulnerabilities: 93
Approved XSS vulnerabilities on VIP websites: 20
on 20.01.2017

Latest Submissions

sites.comunidades.net
Reported by TvM Recommendations received: 18
Approved XSS vulnerabilities: 1182
Approved XSS vulnerabilities on VIP websites: 359
on 21.01.2017
signup.zebra.com
Reported by TvM Recommendations received: 18
Approved XSS vulnerabilities: 1182
Approved XSS vulnerabilities on VIP websites: 359
on 21.01.2017
lenzerheide.com
Reported by whacky Twitter: @w_hacky
Recommendations received: 1
Approved XSS vulnerabilities: 416
Approved XSS vulnerabilities on VIP websites: 5
on 21.01.2017
ecouter-musique-gratuite.com
Reported by Blinils Twitter: @BIinils
Approved XSS vulnerabilities: 73
Approved XSS vulnerabilities on VIP websites: 11
on 21.01.2017
bide-et-musique.com
Reported by Blinils Twitter: @BIinils
Approved XSS vulnerabilities: 73
Approved XSS vulnerabilities on VIP websites: 11
on 21.01.2017
singapore.yalwa.sg
Reported by mahoosoft Twitter: @mahoosoft
Approved XSS vulnerabilities: 101
Approved XSS vulnerabilities on VIP websites: 2
on 21.01.2017
yalwa.co.za
Reported by mahoosoft Twitter: @mahoosoft
Approved XSS vulnerabilities: 101
Approved XSS vulnerabilities on VIP websites: 2
on 21.01.2017
yalwa.ae
Reported by mahoosoft Twitter: @mahoosoft
Approved XSS vulnerabilities: 101
Approved XSS vulnerabilities on VIP websites: 2
on 21.01.2017
yalwa.jp
Reported by mahoosoft Twitter: @mahoosoft
Approved XSS vulnerabilities: 101
Approved XSS vulnerabilities on VIP websites: 2
on 21.01.2017
yalwa.in
Reported by mahoosoft Twitter: @mahoosoft
Approved XSS vulnerabilities: 101
Approved XSS vulnerabilities on VIP websites: 2
on 21.01.2017