Open Bug Bounty selected among the
Top 5 Bug Bounty programs to watch
by The Hacker News

All Open Bug Bounty emails are sent only from domain being digitally signed. All others are fake. Learn more.
For security researchers
Report a Vulnerability
Submit, help fixing, get kudos.
For website owners
Start a Bug Bounty
Run your bounty program for free.
1,301,499 coordinated disclosures
931,134 fixed vulnerabilities
1,624 bug bounty programs, 3,229 websites
29,192 researchers, 1,451 honor badges

Bitexen Bug Bounty Program

Bitexen runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of Bitexen

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between Bitexen and researchers.

Bug bounty program allow private and public submissions.

Bug Bounty Scope

The following websites are within the scope of the program:

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

- The first report for the same vulnerability is accepted.
- Reports for vulnerabilities already known by Bitexen are not accepted.
- Do not share the vulnerabilities found on other platforms without - Bitexen's permission. Reports that are found to be shared will lose their reward.
- Reports sent for vulnerabilities specified as out of scope are not accepted.
- Care should be taken not to damage the systems and the confidentiality of personal data.
- Other user data should not be accessed or changed, and all tests should be performed with the accounts under your control. You can forward vulnerabilities that may authorize access to user data without verifying or only by verifying them on your own accounts.
- Social engineering methods (phishing, vishing, smishing, etc.) and physical attacks (computer theft, SIM card copying, etc.) should not be used. DoS attacks should not be attempted.
- Reports can be submitted in Turkish or English.
All details about the vulnerability must be shared and a PoC must be given. You can access the sample report formats at report-templates page.
In cases where chain security vulnerabilities are detected by using more than one security vulnerabilities, separate reporting can be made.

Testing Requirements:

You can help us by following the methods below so that we do not confuse the traffic generated during your tests with the attacker traffic.

- You can use custom HTTP headers. (Example: X-BTXN-VDP: )
- You can specify your IP address in the report.

Be sure to only use accounts that you control during the testing process. If you have found a vulnerability to run commands on systems, just use the id andhostname commands. Do not use automated tools. If you have found a potentially damaging vulnerability, contact us to obtain additional testing permissions before verifying.

Allowed/not allowed actions for remote code execution vulnerabilities:

Harmless command attempts on input fields on the web frontend (such as whoami```, hostname, ``ifconfig)
File uploads that run a harmless command as hard-coded
Commands id andhostname for proof of exploited vulnerability
Not Allowed
File uploads (webshell etc.) that can lead to free command execution
File deletion, editing, changing permissions
Actions that may affect normal operations (reboot etc.)
Commands and file accesses executed other than those required for proof of vulnerability
The following information should also be provided when reporting remote code execution vulnerabilities:

Source IP address, destination IP address and port information
Requests and responses to the server
Files and directories that were accessed intentionally or unintentionally during the test.
We will be happy if you would use our report draft :)

Possible Awards:

Reward Criteria
Bitexen employees and their first degree relatives cannot win rewards.
You must be at least 14 years old to be eligible for the reward.
Detected vulnerabilities should not be shared publicly.
There should be no legal obstacles to the giving of the reward.

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

Response Time  Information How quickly researchers get responses to their submissions.
Remediation Time  Information How quickly reported submissions are fixed.
Cooperation and Respect  Information How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched


  Latest Blog Posts

08.07.2022 by 4websecurity
CVE 2022-29455 is still affecting millions of Wordpress sites
08.07.2022 by kh4sh3i_
Zabbix - SAML SSO Authentication Bypass
08.07.2022 by FR13ND0x7F
The Time Machine — Weaponizing WaybackUrls for Recon, BugBounties , OSINT, Sensitive Endpoints and what not
15.02.2022 by sepkatpro
Ultimate XSS Polyglot
11.11.2021 by mistry4592
The Most used Chrome Extensions are Used For Penetration Testing.

  Recent Recommendations

@CERT_rlp     15 August, 2022
    Twitter CERT_rlp:
The team of CERT-rlp would like to thank ShiratoriYoshi for a responsible and coordinated disclosure of vulnerabilities
@luiztools     5 August, 2022
    Twitter luiztools:
Confirmo que Jonathan Fonseca (bypikeno) encontrou uma vulnerabilidade XSS em meu site, a qual está sendo providenciada a correção neste momento. Agradeço pelo aviso e disposição em ajudar.
@ThomasDBending     31 July, 2022
    Twitter ThomasDBending:
Thank you for finding an XSS vulnerability in my website.
@ThomasDBending     31 July, 2022
    Twitter ThomasDBending:
Thank you for finding an XSS vulnerability in my website.
@MrMoney84315336     26 July, 2022
    Twitter MrMoney84315336:
Thank you to @Legacy_Defender for reporting and providing prompt and courteous details on our website, leading to a quick and pain free resolution. Keep up the good work.