Infosec Institute

Open Bug Bounty mentioned in the
Top 6 Bug Bounty programs of
2022 by the InfoSec Institute

The Hacker News

Open Bug Bounty named among the
Top 5 Bug Bounty programs of 2021
by The Hacker News

Platform update: please use our new authentication mechanism to securely use the Open Bug Bounty Platform.
For security researchers
Report a Vulnerability
Submit, help fixing, get kudos.
For website owners
Start a Bug Bounty
Run your bounty program for free.
1,722,291 coordinated disclosures
1,393,415 fixed vulnerabilities
2,014 bug bounty programs, 3,932 websites
48,643 researchers, 1,658 honor badges

AppDirect Bug Bounty Program

AppDirect runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of AppDirect

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between AppDirect and researchers.

Bug bounty program allow private and public submissions.

Bug Bounty Scope

The following websites are within the scope of the program:

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

Testing is only authorized on the targets explicitly listed as In-Scope. Any domain/property of Appdirect not listed in the targets section is out of scope. This includes any/all subdomains not listed. Anything not explicitly defined In-Scope is by default Out-of-Scope. If you believe you've identified a vulnerability on a system outside the scope, please reach out to us before submitting it
When creating an account: Use your hacker email alias when testing ([email protected]) for sign up and all testing
When testing:
Please add the following header to your request: X-Bugbounty-Research: <YOUR-USERNAME>. Providing this information helps us differentiate your activity against traffic generated by possible malicious actors and may help avoid blocking your IP address!
Do not use vulnerability scanners! For custom tooling an acceptable request rate is no more than 3 requests per second
Failure to abide to these could jeopardize us providing bounty's and causes unnecessary friction we hope to avoid. These are also copied in our Program Rules for completeness.

Testing Requirements:

Use your hacker email alias when testing for sign up and all testing
Add the following header to your request: X-Bugbounty-Research: <YOUR-USERNAME>
You will configure any automated tools you may be using to a speed of no more than 3 requests per second
Do not use multiple IP addresses when testing
Do not disclose a vulnerability publicly without express written consent from Appdirect. Permission is still required after the fix is confirmed to be in place. Failure to comply with this could lead to disciplinary actions including disqualification of a bounty payment and removal from the program
Only interact with accounts you own or with the explicit permission of the account holder
Do not perform security testing on websites that are out of scope for this test and not operated by Appdirect
Once you’ve established that a vulnerability exists or you encounter any sensitive data (including personally identifiable information, financial information, or proprietary/confidential information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced)
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty
Social engineering (e.g. phishing, vishing, smishing) is prohibited
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service
Valid submissions that fail to demonstrate a security risk are not eligible for a reward. Appdirect is ultimately responsible for determining the severity of all submissions
Do not perform brute-force style attacks or any attack that could potentially cause a denial-of service to any of Appdirect applications or infrastructure
We may change the terms of this program at any time. Participating in this program after the changes become effective means you agree to be bound by the new terms. If you do not agree to the new terms, you must not participate in the program

Possible Awards:

- recommendation for hacker's profile
- kudos
- hall of fame

Special Notes:


Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

Response Time  Information How quickly researchers get responses to their submissions.
Remediation Time  Information How quickly reported submissions are fixed.
Cooperation and Respect  Information How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched


  Latest Blog Posts

04.12.2023 by BAx99x
Unmasking the Power of Cross-Site Scripting (XSS): Types, Exploitation, Detection, and Tools
04.12.2023 by a13h1_
$1120: ATO Bug in Twitter’s
04.12.2023 by ClumsyLulz
How I found a Zero Day in W3 Schools
04.12.2023 by 24bkdoor
Hack the Web like a Pirate: Identifying Vulnerabilities with Style
04.12.2023 by 24bkdoor
Navigating the Bounty Seas with Open Bug Bounty

  Recent Recommendations

    4 June, 2024
Researcher reported public Docker local env file, no security breach but this file should not be publicly available, thanks SYPltd.
    4 June, 2024
Researcher reported public local env Docker file, no security breach but file should not be publicly available, thank you SYPltd.
    29 May, 2024
It was the first time for us that we received a report about openbugbounty. The researcher reported a demo dockerfile on our website. No security breach but it's not "professionnal" to see this kind of file on a website.
Thank you SYPltd
    28 May, 2024
Thank you very much for your support and uncovering the vulnerabilities.
    28 May, 2024
Thank you very much for your support and uncovering the vulnerabilities.