Open Bug Bounty selected among the
Top 5 Bug Bounty programs to watch
in 2021 by The Hacker News

For security researchers
Report a Vulnerability
Submit, help fixing, get kudos.
For website owners
Start a Bug Bounty
Run your bounty program for free.
1,026,737 coordinated disclosures
637,627 fixed vulnerabilities
1,370 bug bounty programs, 2,758 websites
23,967 researchers, 1,324 honor badges Bug Bounty Program runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between and researchers.

Bug bounty program allow private submissions only.

Bug Bounty Scope

The following websites are within the scope of the program:

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

In Scope Vulnerabilities:
-Remote Code Execution (RCE)
-SQL Injection
-Local-Remote File Inclusion (LFI/RFI)
-XML External Entity (XXE)
-Broken Authentication
-Sensitive Data Exposure
-Cross-Site Scripting (XSS)
-Security Misconfiguration (real example)
-Server Side Request Forgery (SSRF)
-Сross Site Request Forgery (CSRF)
-Insecure Direct Object References (IDOR)

Out-of-scope vulnerabilities:
-Any XSS that can be done only within 1 account
-Any CSRF except for those that can be used in the chain, or except for those that have a real example, the operation of which affects critical resources (individual assessment of criticality for each report)
-Simplified registration and authorization, without confirmation of captcha
-Any public information about employees and customers
-Vulnerabilities in third-party applications
-Lack of best security practices and protection mechanisms without evidence of vulnerability
-Recently (less than 30 days) disclosed 0day vulnerabilities
-Vulnerabilities affecting users of outdated browsers or platforms
-Social engineering, phishing, physical, or other fraud activities
-Most brute-forcing issues
-Weak password policies
-Denial of service
-Theoretical issues
-Missing HTTP security headers
-Infrastructure vulnerabilities, including:
--Certificates/TLS/SSL related issues
--DNS issues (i.e. MX records, SPF records, etc.)
--Server configuration issues (i.e., open ports, TLS, etc.)
-Open redirects
-User account enumeration
-Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
-Self-XSS that cannot be used to exploit other users
-Logout CSRF
-CSRF in forms that are available to anonymous users (e.g. the contact form)
-OPTIONS/TRACE HTTP method enabled
-Host header issues without proof-of-concept demonstrating the vulnerability
-Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
-Content Spoofing without embedded links/HTML
-Reflected File Download (RFD)

Testing Requirements:

Strictly prohibited:
- Using web application scanners for automatic vulnerability searching which generates massive traffic
-Any effort to damage or restrict the availability of products, services or infrastructure
-Compromising any personal data, interruption or degradation of any service
-Access or modify other user data, localize all tests to your accounts
-Perform testing only outside the scope
-Attack corporate infrastructure
-Exploit of any DoS/DDoS vulnerabilities, social engineering attacks or spam
-Spamming of forms or account creation flows using automated scanners
-Only the first valid bug is eligible for the reward

Possible Awards:

We do offer bounty payments that are subject to the following:
- It is not already known/reported
- There is demonstrable risk to a user or the company (i.e. no self XSS)

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

Response Time  Information How quickly researchers get responses to their submissions.
Remediation Time  Information How quickly reported submissions are fixed.
Cooperation and Respect  Information How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched


  Latest Blog Posts

14.07.2021 by Open Bug Bounty
Interview With Open Bug Bounty
25.05.2021 by 0xrocky
Google XSS Game
25.05.2021 by ShivanshMalik12
Testing for XSS (Cross Site Scripting)
25.05.2021 by darklotuskdb
Easy XSS On Mostly Educational Websites Via Moodle
25.04.2021 by ParanjpeSanmarg
Testing Subdomain Takeover Vulnerability

  Recent Recommendations

@pentestinghub     23 July, 2021
    Twitter pentestinghub:
Thank you chenzhen for making us aware of a vulnerability that was previously unknown to us.

It was a pleasure working with him, Thank you!

Thanks & Regards
Tuhin Bose
Chief Information Security Officer
@Synthesys3     15 July, 2021
    Twitter Synthesys3:
Thanks Tw0F0rty for making me aware of a vulnerability involving an apparently innocuous log report on my website :)
@MPDL     15 July, 2021
    Twitter MPDL:
Thank you for your detailed report. With your support we were able to fix the vulnerabilities.
@MPDL     13 July, 2021
    Twitter MPDL:
Thanks a lot 0xrocky for identifying the vulnerabilities and alert us. Great security researcher to work with. Keep up the good work!
@SchmitzNicolas2     13 July, 2021
    Twitter SchmitzNicolas2:
Thx for your help in securing this website.