History of the Project
Initially known as XSSPosed, standing for 'XSS exposed', the OpenBugBounty project was created by security enthusiasts and professionals in June 2014. It was a non-profit open archive where any security researcher could report a Cross-Site Scripting (XSS) vulnerability on any website, and get a proper credit for it.
As many private Bug Bounty programs regularly fail these days, and the situation will unlikely improve in the near future, we decided that we need to create an open, transparent and unbiased platform to connect security researchers wishing to help and website administrators. This is how we created the concept of Open Bug Bounty Coordinated Vulnerability Disclosure Program that is currently open to everybody worldwide.
We have no financial or commercial interest in the project. Moreover, we pay hosting expenses and continuous web development from our pocket, and spend our nights verifying new submissions.
Open Bug Bounty: Public and Private
Security researcher can chose how to report the vulnerabilities via the Open Bug Bounty:
Once verified by our team, we send notifications, without disclosing any technical details of the vulnerability, to:
- Subscribers (learn more)
- Generic security emails
- Emails found on the website (if any)
- Emails provided by the researcher (if any)
A web page dedicated to the vulnerability will be created, however no technical details will be displayed on it. At this stage, website owner, administrator or security company in charge of the website security shall contact the researcher directly and proceed to coordinated disclosure. Once patched, the vulnerability page may be deleted by researcher.
After verification by our team, the vulnerability will be available on a secret hyperlink known only to the researcher. The vulnerability is not used in any statistics or lists on the website. This is done to report vulnerabilities on websites running official bug bounty program, but refusing to reward researcher for hilarious reasons, like being unable to reproduce the vulnerability, or saying that the submission is a duplicate. Our independent and unbiased verification gives a clear prof that the vulnerability existed at a precise timestamp.
We always recommend website owners to thank responsible security researchers in a manner proportional to their time and efforts. However, our role is strictly limited to independent vulnerability verification - we never act as intermediary between the researchers and website owners.
Coordinated Disclosure and Notifications
We encourage all our security researchers to use the Open Bug Bounty program to report security vulnerabilities on websites without putting the website and its users at risk. However, its only the researcher who decides if he, or she, will use a coordinated or Full Disclosure.
In any case, we send security notifications to website owners by all available communication channels (including emails and social networks) to make sure that they are aware of the vulnerability and can patch it quickly.
Website owners and administrators can also subscribe for free instant alerts and get customized notifications about any vulnerabilities detected on their websites.
To avoid spam, we allow reporting only one vulnerability per domain per 24 hours. Every recipient of notifications sent can definitely unsubscribe from any further notifications.
The process of testing for XSS and CSRF is harmless and cannot damage the website, database, server or related infrastructure. We do not accept vulnerabilities that can, or are intended to, harm a website.
Privacy & Security
To avoid storing any user-related data, we use external authentication via Twitter for everyone on the website. Connection to the website is HTTPS only.
Within the scope of the Open Bug Bounty, solely security researchers can delete the vulnerabilities until public disclosure. However, they have absolutely no obligation to do so, and are free to act, or not to act, at their sole discretion. We never remove any information about vulnerabilities from the website for political or business reasons.
However, if researcher's behavior borders with extortion (e.g. demanding cash to delete a submission) - such submissions will be deleted - we have tolerance zero for blackmailing.
All our web server logs go directly to /dev/null, so don't even ask for them - we simply don't have them.