Our Security Community helped fix 34436 vulnerabilities

Report Email Alerts Open Bug Bounty: 101956 coordinated disclosures
Full Disclosure: 32202 vulnerabilities
Total Vulnerabilities Fixed: 34435
111710 vulnerable websites, 12374 VIP websites
2618 security researchers, 3699 notification subscribers

History of the Project

Initially known as XSSPosed, standing for 'XSS exposed', the OpenBugBounty project was created by security enthusiasts and professionals in June 2014. It was a non-profit open archive where any security researcher could report a Cross-Site Scripting (XSS) vulnerability on any website, and get a proper credit for it.

As many private Bug Bounty programs regularly fail these days, and the situation will unlikely improve in the near future, we decided that we need to create an open, transparent and unbiased platform to connect security researchers wishing to help and website administrators. This is how we created the concept of Open Bug Bounty Coordinated Vulnerability Disclosure Program that is currently open to everybody worldwide.

We have no financial or commercial interest in the project. Moreover, we pay hosting expenses and continuous web development from our pocket, and spend our nights verifying new submissions.

Open Bug Bounty: Public and Private

Security researcher can chose how to report the vulnerabilities via the Open Bug Bounty:

  • Public submission
    Once verified by our team, we send notifications, without disclosing any technical details of the vulnerability, to:

    • Subscribers (learn more)
    • Generic security emails
    • Emails found on the website (if any)
    • Emails provided by the researcher (if any)

    A web page dedicated to the vulnerability will be created, however no technical details will be displayed on it. At this stage, website owner, administrator or security company in charge of the website security shall contact the researcher directly and proceed to coordinated disclosure. Once patched, the vulnerability page may be deleted by researcher.

  • Private submission
    After verification by our team, the vulnerability will be available on a secret hyperlink known only to the researcher. The vulnerability is not used in any statistics or lists on the website. This is done to report vulnerabilities on websites running official bug bounty program, but refusing to reward researcher for hilarious reasons, like being unable to reproduce the vulnerability, or saying that the submission is a duplicate. Our independent and unbiased verification gives a clear prof that the vulnerability existed at a precise timestamp.

We always recommend website owners to thank responsible security researchers in a manner proportional to their time and efforts. However, our role is strictly limited to independent vulnerability verification - we never act as intermediary between the researchers and website owners.

Coordinated Disclosure and Notifications

We encourage all our security researchers to use the Open Bug Bounty program to report security vulnerabilities on websites without putting the website and its users at risk. However, its only the researcher who decides if he, or she, will use a coordinated or Full Disclosure.

In any case, we send security notifications to website owners by all available communication channels (including emails and social networks) to make sure that they are aware of the vulnerability and can patch it quickly.

Website owners and administrators can also subscribe for free instant alerts and get customized notifications about any vulnerabilities detected on their websites.

To avoid spam, we allow reporting only one vulnerability per domain per 24 hours. Every recipient of notifications sent can definitely unsubscribe from any further notifications.

Non-Intrusive Testing

We accept only the Cross-Site Scripting (XSS) and CSRF vulnerabilities that are the most common today.

The process of testing for XSS and CSRF is harmless and cannot damage the website, database, server or related infrastructure. We do not accept vulnerabilities that can, or are intended to, harm a website.

Privacy & Security

To avoid storing any user-related data, we use external authentication via Twitter for everyone on the website. Connection to the website is HTTPS only.

Researchers' Privileges

Within the scope of the Open Bug Bounty, solely security researchers can delete the vulnerabilities until public disclosure. However, they have absolutely no obligation to do so, and are free to act, or not to act, at their sole discretion. We never remove any information about vulnerabilities from the website for political or business reasons.

However, if researcher's behavior borders with extortion (e.g. demanding cash to delete a submission) - such submissions will be deleted - we have tolerance zero for blackmailing.

All our web server logs go directly to /dev/null, so don't even ask for them - we simply don't have them.

Latest VIP Submissions

stylebop.com
Reported by tbm Twitter: @tbmnull
Recommendations received: 2
Approved XSS vulnerabilities: 2647
Approved XSS vulnerabilities on VIP websites: 1229
on 20.02.2017
hornywhores.net
Reported by OmniGooch Recommendations received: 2
Approved XSS vulnerabilities: 2295
Approved XSS vulnerabilities on VIP websites: 126
on 19.02.2017
alinea.fr
Reported by Implosion Recommendations received: 17
Approved XSS vulnerabilities: 1274
Approved XSS vulnerabilities on VIP websites: 49
on 19.02.2017
opensecrets.org
Reported by LewisWildgoose Recommendations received: 1
Approved XSS vulnerabilities: 47
Approved XSS vulnerabilities on VIP websites: 6
on 19.02.2017
omgvoice.com
Reported by sp4sm1337 Recommendations received: 1
Approved XSS vulnerabilities: 54
Approved XSS vulnerabilities on VIP websites: 9
on 19.02.2017
canon-europe.com
Reported by DrStache Twitter: @DrStache_
Recommendations received: 22
Approved XSS vulnerabilities: 3851
Approved XSS vulnerabilities on VIP websites: 136
on 19.02.2017
canon.ru
Reported by DrStache Twitter: @DrStache_
Recommendations received: 22
Approved XSS vulnerabilities: 3851
Approved XSS vulnerabilities on VIP websites: 136
on 19.02.2017
canon.es
Reported by DrStache Twitter: @DrStache_
Recommendations received: 22
Approved XSS vulnerabilities: 3851
Approved XSS vulnerabilities on VIP websites: 136
on 19.02.2017
canon.it
Reported by DrStache Twitter: @DrStache_
Recommendations received: 22
Approved XSS vulnerabilities: 3851
Approved XSS vulnerabilities on VIP websites: 136
on 19.02.2017
canon.de
Reported by DrStache Twitter: @DrStache_
Recommendations received: 22
Approved XSS vulnerabilities: 3851
Approved XSS vulnerabilities on VIP websites: 136
on 19.02.2017

Latest Submissions

brag.co.uk
Reported by matty Approved XSS vulnerabilities: 25
Approved XSS vulnerabilities on VIP websites: 1
on 20.02.2017
archku.ac.bd
Reported by matty Approved XSS vulnerabilities: 25
Approved XSS vulnerabilities on VIP websites: 1
on 20.02.2017
actioncompany.com
Reported by matty Approved XSS vulnerabilities: 25
Approved XSS vulnerabilities on VIP websites: 1
on 20.02.2017
stats.nola.com
Reported by TvM Recommendations received: 19
Approved XSS vulnerabilities: 1332
Approved XSS vulnerabilities on VIP websites: 396
on 20.02.2017
lepkom.gunadarma.ac.id
Reported by NoGe Twitter: @p4c3n0g3
Recommendations received: 5
Approved XSS vulnerabilities: 686
Approved XSS vulnerabilities on VIP websites: 38
on 20.02.2017
igup.urfu.ru
Reported by NoGe Twitter: @p4c3n0g3
Recommendations received: 5
Approved XSS vulnerabilities: 686
Approved XSS vulnerabilities on VIP websites: 38
on 20.02.2017
es.t-mobile.com
Reported by Spam404 Twitter: @Spam404Online
Recommendations received: 61
Approved XSS vulnerabilities: 21956
Approved XSS vulnerabilities on VIP websites: 1547
on 20.02.2017
espanol.vonage.com
Reported by Spam404 Twitter: @Spam404Online
Recommendations received: 61
Approved XSS vulnerabilities: 21956
Approved XSS vulnerabilities on VIP websites: 1547
on 20.02.2017
francais.vonage.ca
Reported by Spam404 Twitter: @Spam404Online
Recommendations received: 61
Approved XSS vulnerabilities: 21956
Approved XSS vulnerabilities on VIP websites: 1547
on 20.02.2017
espanol.bcbstx.com
Reported by Spam404 Twitter: @Spam404Online
Recommendations received: 61
Approved XSS vulnerabilities: 21956
Approved XSS vulnerabilities on VIP websites: 1547
on 20.02.2017