Our Security Community helped fix 39137 vulnerabilities

Report Email Alerts Open Bug Bounty: 121499 coordinated disclosures
Full Disclosure: 32443 vulnerabilities
Total Vulnerabilities Fixed: 39136
126925 vulnerable websites, 13180 VIP websites
3071 security researchers, 4044 notification subscribers

History of the Project

Initially known as XSSPosed, standing for 'XSS exposed', the OpenBugBounty project was created by security enthusiasts and professionals in June 2014. It was a non-profit open archive where any security researcher could report a Cross-Site Scripting (XSS) vulnerability on any website, and get a proper credit for it.

As many private Bug Bounty programs regularly fail these days, and the situation will unlikely improve in the near future, we decided that we need to create an open, transparent and unbiased platform to connect security researchers wishing to help and website administrators. This is how we created the concept of Open Bug Bounty Coordinated Vulnerability Disclosure Program that is currently open to everybody worldwide.

We have no financial or commercial interest in the project. Moreover, we pay hosting expenses and continuous web development from our pocket, and spend our nights verifying new submissions.

Open Bug Bounty: Public and Private

Security researcher can chose how to report the vulnerabilities via the Open Bug Bounty:

  • Public submission
    Once verified by our team, we send notifications, without disclosing any technical details of the vulnerability, to:

    • Subscribers (learn more)
    • Generic security emails
    • Emails found on the website (if any)
    • Emails provided by the researcher (if any)

    A web page dedicated to the vulnerability will be created, however no technical details will be displayed on it. At this stage, website owner, administrator or security company in charge of the website security shall contact the researcher directly and proceed to coordinated disclosure. Once patched, the vulnerability page may be deleted by researcher.

  • Private submission
    After verification by our team, the vulnerability will be available on a secret hyperlink known only to the researcher. The vulnerability is not used in any statistics or lists on the website. This is done to report vulnerabilities on websites running official bug bounty program, but refusing to reward researcher for hilarious reasons, like being unable to reproduce the vulnerability, or saying that the submission is a duplicate. Our independent and unbiased verification gives a clear prof that the vulnerability existed at a precise timestamp.

We always recommend website owners to thank responsible security researchers in a manner proportional to their time and efforts. However, our role is strictly limited to independent vulnerability verification - we never act as intermediary between the researchers and website owners.

Coordinated Disclosure and Notifications

We encourage all our security researchers to use the Open Bug Bounty program to report security vulnerabilities on websites without putting the website and its users at risk. However, its only the researcher who decides if he, or she, will use a coordinated or Full Disclosure.

In any case, we send security notifications to website owners by all available communication channels (including emails and social networks) to make sure that they are aware of the vulnerability and can patch it quickly.

Website owners and administrators can also subscribe for free instant alerts and get customized notifications about any vulnerabilities detected on their websites.

To avoid spam, we allow reporting only one vulnerability per domain per 24 hours. Every recipient of notifications sent can definitely unsubscribe from any further notifications.

Non-Intrusive Testing

We accept only the Cross-Site Scripting (XSS) and CSRF vulnerabilities that are the most common today.

The process of testing for XSS and CSRF is harmless and cannot damage the website, database, server or related infrastructure. We do not accept vulnerabilities that can, or are intended to, harm a website.

Privacy & Security

To avoid storing any user-related data, we use external authentication via Twitter for everyone on the website. Connection to the website is HTTPS only.

Researchers' Privileges

Within the scope of the Open Bug Bounty, solely security researchers can delete the vulnerabilities until public disclosure. However, they have absolutely no obligation to do so, and are free to act, or not to act, at their sole discretion. We never remove any information about vulnerabilities from the website for political or business reasons.

However, if researcher's behavior borders with extortion (e.g. demanding cash to delete a submission) - such submissions will be deleted - we have tolerance zero for blackmailing.

All our web server logs go directly to /dev/null, so don't even ask for them - we simply don't have them.

Latest VIP Submissions

freeimages.com
Reported by Random_Robbie Twitter: @Random_Robbie
Recommendations received: 17
Approved XSS vulnerabilities: 4992
Approved XSS vulnerabilities on VIP websites: 529
on 29.05.2017
housebeautiful.com
Reported by amlnspqr Twitter: @amlnspqr
Recommendations received: 6
Approved XSS vulnerabilities: 1587
Approved XSS vulnerabilities on VIP websites: 268
on 29.05.2017
facebook.com
Reported by evaristegal0is Twitter: @evaristegal0is
Recommendations received: 3
Approved XSS vulnerabilities: 152
Approved XSS vulnerabilities on VIP websites: 34
on 29.05.2017
ctgoodjobs.hk
Reported by revydol Approved XSS vulnerabilities: 197
Approved XSS vulnerabilities on VIP websites: 16
on 29.05.2017
gazzetta.it
Reported by evaristegal0is Twitter: @evaristegal0is
Recommendations received: 3
Approved XSS vulnerabilities: 152
Approved XSS vulnerabilities on VIP websites: 34
on 29.05.2017
hanfi1.rssing.com
Reported by rj01 Twitter: @RoyJansen_01
Recommendations received: 7
Approved XSS vulnerabilities: 1298
Approved XSS vulnerabilities on VIP websites: 286
on 29.05.2017
baiduyunpan.com
Reported by OmniGooch Recommendations received: 3
Approved XSS vulnerabilities: 3254
Approved XSS vulnerabilities on VIP websites: 197
on 29.05.2017
zyxel.com
Reported by revydol Approved XSS vulnerabilities: 197
Approved XSS vulnerabilities on VIP websites: 16
on 29.05.2017
goodav17.com
Reported by OmniGooch Recommendations received: 3
Approved XSS vulnerabilities: 3254
Approved XSS vulnerabilities on VIP websites: 197
on 28.05.2017
espnfc.com
Reported by OmniGooch Recommendations received: 3
Approved XSS vulnerabilities: 3254
Approved XSS vulnerabilities on VIP websites: 197
on 28.05.2017

Latest Submissions

libweb1.lib.buffalo.edu
Reported by Random_Robbie Twitter: @Random_Robbie
Recommendations received: 17
Approved XSS vulnerabilities: 4992
Approved XSS vulnerabilities on VIP websites: 529
on 29.05.2017
amphibiaweb.org
Reported by Random_Robbie Twitter: @Random_Robbie
Recommendations received: 17
Approved XSS vulnerabilities: 4992
Approved XSS vulnerabilities on VIP websites: 529
on 29.05.2017
images.mrskincash.com
Reported by Spam404 Twitter: @Spam404Online
Recommendations received: 62
Approved XSS vulnerabilities: 22631
Approved XSS vulnerabilities on VIP websites: 1567
on 29.05.2017
signups.digitalprocessor.com
Reported by Spam404 Twitter: @Spam404Online
Recommendations received: 62
Approved XSS vulnerabilities: 22631
Approved XSS vulnerabilities on VIP websites: 1567
on 29.05.2017
secure.nakednews.com
Reported by Spam404 Twitter: @Spam404Online
Recommendations received: 62
Approved XSS vulnerabilities: 22631
Approved XSS vulnerabilities on VIP websites: 1567
on 29.05.2017
cams.mrman.com
Reported by Spam404 Twitter: @Spam404Online
Recommendations received: 62
Approved XSS vulnerabilities: 22631
Approved XSS vulnerabilities on VIP websites: 1567
on 29.05.2017
elbedecken.de
Reported by secuninja Recommendations received: 7
Approved XSS vulnerabilities: 1231
Approved XSS vulnerabilities on VIP websites: 44
on 29.05.2017
tanzforumberlin.de
Reported by secuninja Recommendations received: 7
Approved XSS vulnerabilities: 1231
Approved XSS vulnerabilities on VIP websites: 44
on 29.05.2017
zitty.de
Reported by secuninja Recommendations received: 7
Approved XSS vulnerabilities: 1231
Approved XSS vulnerabilities on VIP websites: 44
on 29.05.2017
bat-yam.muni.il
Reported by login_denied Twitter: @login_denied
Approved XSS vulnerabilities: 161
Approved XSS vulnerabilities on VIP websites: 4
on 29.05.2017