Our Security Community helped fix 37789 vulnerabilities

Report Email Alerts Open Bug Bounty: 111836 coordinated disclosures
Full Disclosure: 32415 vulnerabilities
Total Vulnerabilities Fixed: 37787
119703 vulnerable websites, 12891 VIP websites
2919 security researchers, 3934 notification subscribers

History of the Project

Initially known as XSSPosed, standing for 'XSS exposed', the OpenBugBounty project was created by security enthusiasts and professionals in June 2014. It was a non-profit open archive where any security researcher could report a Cross-Site Scripting (XSS) vulnerability on any website, and get a proper credit for it.

As many private Bug Bounty programs regularly fail these days, and the situation will unlikely improve in the near future, we decided that we need to create an open, transparent and unbiased platform to connect security researchers wishing to help and website administrators. This is how we created the concept of Open Bug Bounty Coordinated Vulnerability Disclosure Program that is currently open to everybody worldwide.

We have no financial or commercial interest in the project. Moreover, we pay hosting expenses and continuous web development from our pocket, and spend our nights verifying new submissions.

Open Bug Bounty: Public and Private

Security researcher can chose how to report the vulnerabilities via the Open Bug Bounty:

  • Public submission
    Once verified by our team, we send notifications, without disclosing any technical details of the vulnerability, to:

    • Subscribers (learn more)
    • Generic security emails
    • Emails found on the website (if any)
    • Emails provided by the researcher (if any)

    A web page dedicated to the vulnerability will be created, however no technical details will be displayed on it. At this stage, website owner, administrator or security company in charge of the website security shall contact the researcher directly and proceed to coordinated disclosure. Once patched, the vulnerability page may be deleted by researcher.

  • Private submission
    After verification by our team, the vulnerability will be available on a secret hyperlink known only to the researcher. The vulnerability is not used in any statistics or lists on the website. This is done to report vulnerabilities on websites running official bug bounty program, but refusing to reward researcher for hilarious reasons, like being unable to reproduce the vulnerability, or saying that the submission is a duplicate. Our independent and unbiased verification gives a clear prof that the vulnerability existed at a precise timestamp.

We always recommend website owners to thank responsible security researchers in a manner proportional to their time and efforts. However, our role is strictly limited to independent vulnerability verification - we never act as intermediary between the researchers and website owners.

Coordinated Disclosure and Notifications

We encourage all our security researchers to use the Open Bug Bounty program to report security vulnerabilities on websites without putting the website and its users at risk. However, its only the researcher who decides if he, or she, will use a coordinated or Full Disclosure.

In any case, we send security notifications to website owners by all available communication channels (including emails and social networks) to make sure that they are aware of the vulnerability and can patch it quickly.

Website owners and administrators can also subscribe for free instant alerts and get customized notifications about any vulnerabilities detected on their websites.

To avoid spam, we allow reporting only one vulnerability per domain per 24 hours. Every recipient of notifications sent can definitely unsubscribe from any further notifications.

Non-Intrusive Testing

We accept only the Cross-Site Scripting (XSS) and CSRF vulnerabilities that are the most common today.

The process of testing for XSS and CSRF is harmless and cannot damage the website, database, server or related infrastructure. We do not accept vulnerabilities that can, or are intended to, harm a website.

Privacy & Security

To avoid storing any user-related data, we use external authentication via Twitter for everyone on the website. Connection to the website is HTTPS only.

Researchers' Privileges

Within the scope of the Open Bug Bounty, solely security researchers can delete the vulnerabilities until public disclosure. However, they have absolutely no obligation to do so, and are free to act, or not to act, at their sole discretion. We never remove any information about vulnerabilities from the website for political or business reasons.

However, if researcher's behavior borders with extortion (e.g. demanding cash to delete a submission) - such submissions will be deleted - we have tolerance zero for blackmailing.

All our web server logs go directly to /dev/null, so don't even ask for them - we simply don't have them.

Latest VIP Submissions

blue-tomato.com
Reported by ThomySec Approved XSS vulnerabilities: 4
Approved XSS vulnerabilities on VIP websites: 3
on 24.04.2017
bape.com
Reported by Cosmoo Approved XSS vulnerabilities: 7
Approved XSS vulnerabilities on VIP websites: 1
on 24.04.2017
besteveralbums.com
Reported by rj01 Twitter: @RoyJansen_01
Recommendations received: 5
Approved XSS vulnerabilities: 1053
Approved XSS vulnerabilities on VIP websites: 157
on 24.04.2017
technodom.kz
Reported by Random_Robbie Twitter: @Random_Robbie
Recommendations received: 11
Approved XSS vulnerabilities: 2960
Approved XSS vulnerabilities on VIP websites: 262
on 24.04.2017
knust.edu.gh
Reported by TestimeOO7 Approved XSS vulnerabilities: 66
Approved XSS vulnerabilities on VIP websites: 21
on 24.04.2017
eku.edu
Reported by Alyssa_Herrera Twitter: @_Psycho_Mantis
Approved XSS vulnerabilities: 1532
Approved XSS vulnerabilities on VIP websites: 445
on 24.04.2017
futuremark.com
Reported by Alyssa_Herrera Twitter: @_Psycho_Mantis
Approved XSS vulnerabilities: 1532
Approved XSS vulnerabilities on VIP websites: 445
on 24.04.2017
yogajournal.com
Reported by OmniGooch Recommendations received: 3
Approved XSS vulnerabilities: 2822
Approved XSS vulnerabilities on VIP websites: 165
on 24.04.2017
thetimenow.com
Reported by Random_Robbie Twitter: @Random_Robbie
Recommendations received: 11
Approved XSS vulnerabilities: 2960
Approved XSS vulnerabilities on VIP websites: 262
on 23.04.2017
ultimate-guitar.com
Reported by Random_Robbie Twitter: @Random_Robbie
Recommendations received: 11
Approved XSS vulnerabilities: 2960
Approved XSS vulnerabilities on VIP websites: 262
on 23.04.2017

Latest Submissions

zeneszmagazin.hu
Reported by OmniGooch Recommendations received: 3
Approved XSS vulnerabilities: 2822
Approved XSS vulnerabilities on VIP websites: 165
on 25.04.2017
drummersparadise.com.au
Reported by OmniGooch Recommendations received: 3
Approved XSS vulnerabilities: 2822
Approved XSS vulnerabilities on VIP websites: 165
on 25.04.2017
sparitual.com
Reported by OmniGooch Recommendations received: 3
Approved XSS vulnerabilities: 2822
Approved XSS vulnerabilities on VIP websites: 165
on 25.04.2017
bjc.hu
Reported by OmniGooch Recommendations received: 3
Approved XSS vulnerabilities: 2822
Approved XSS vulnerabilities on VIP websites: 165
on 25.04.2017
servana.de
Reported by badmaxx Twitter: @_badmaxx_
Recommendations received: 1
Approved XSS vulnerabilities: 800
Approved XSS vulnerabilities on VIP websites: 35
on 24.04.2017
atlanticfirearms.com
Reported by jimcola99 Approved XSS vulnerabilities: 76
Approved XSS vulnerabilities on VIP websites: 15
on 24.04.2017
list-org.com
Reported by Disst Recommendations received: 2
Approved XSS vulnerabilities: 505
Approved XSS vulnerabilities on VIP websites: 54
on 24.04.2017
pakpips.com
Reported by xmenik Approved XSS vulnerabilities: 115
Approved XSS vulnerabilities on VIP websites: 8
on 24.04.2017
dailypakistan.pk
Reported by xmenik Approved XSS vulnerabilities: 115
Approved XSS vulnerabilities on VIP websites: 8
on 24.04.2017
thinkshoes.com
Reported by secuninja Recommendations received: 4
Approved XSS vulnerabilities: 493
Approved XSS vulnerabilities on VIP websites: 21
on 24.04.2017