Report a Vulnerability
Submit, help fixing, get kudos.
Start a Bug Bounty
Run your bounty program for free.
611,838 coordinated disclosures
393,151 fixed vulnerabilities
928 bug bounties with 1,860 websites
18,807 researchers, 1199 honor badges

  Please, login via Twitter first




Start Bug Bounty Program in 5 Easy Steps. It's Free!

Start Bug Bounty Program in 5 Easy Steps

Bug Bounty Program

Open Bug Bounty allows any verified website owners to run a bug bounty for their websites at no cost. The purpose of this non-profit activity is to make relations between website owners and security researchers sustainable and mutually beneficial in a long-term prospective.

Starting a bug bounty is free and open to everyone. Once logged in via Twitter, you can create your bug bounty program in a few minutes and get unlimited access to our security researchers. Once a vulnerability is reported, you will get instant notification to coordinate disclosure and remediation with researcher.

Open Bug Bounty does triage and verification of the submissions. However, we never intervene to the further process of your communication with the researchers, vulnerability remediation and disclosure. Once a vulnerability is verified and reported to you, our role in coordinated disclosure process is over.

For website owners, we provide vulnerability data export option to the following SDLC, DevOps and bug tracking systems:

  Bugzilla

  Splunk

  JIRA

  Mantis

General

Please carefully fill-in the form below to launch your bug bounty:

Information This will be a name under which your bug bounty will be displayed. Please use meaningful and relevant name to better guide the researchers.

Please read about type of vulnerability submissions and select the best one for you:

  Information Researchers will be able to submit both private and public submissions.
  Information Researchers will be able to submit private submissions only.

Information We will send notifications for domains from your scope to these email addresses. We do not share these email addresses with anybody.

Bug Bounty Scope

You will need to confirm your website ownership by placing a special security.txt file on it:

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

Please specify your Vulnerability Disclosure Program requirements. They will be displayed to security researchers:

Information Please specify technical or any other reasonable requirements for submissions (e.g. exclusion of self-XSS). Information Please specify any special requirements for testing methodologies (e.g. restriction to use vulnerability scanners). Information Please specify which rewards you may provide to the researchers who follow the above-mentioned requirements (e.g. recommendation in researcher's profile, mention in a Hall of Fame or something more valuable proportional to the researcher's efforts). Information Anything else you would like to bring to the attention of researchers community.

Other Submissions Handling

Open Bug Bounty does not accept security vulnerabilities that may require some sort of intrusive testing to be detected (e.g. SQL injection). Therefore, we do not accept, verify or store them on our platform. Nevertheless, as a website owner, you can specify how and where to report them if ever you wish them to be reported.



Information Please specify where and how (e.g. email) these vulnerabilities may be sent. Information You can provide your public PGP key here to encrypt the notifications sent via a method you specify above. Information Please specify technical or any other reasonable requirements for submissions (e.g. exclusion of self-XSS). Information Please specify any special requirements for testing methodologies (e.g. restriction to use vulnerability scanners). Information Please specify which rewards you may provide to the researchers who follow the above-mentioned requirements (e.g. recommendation in researcher's profile, mention in a Hall of Fame or something more valuable proportional to the researcher's efforts). Information Anything else you would like to bring to the attention of researchers community.

Need Any Help?

Need any help or have any questions about the bug bounty? The community forum is here to help!

  Latest Patched

 30.10.2020 489pro.com
 30.10.2020 dgtle.com
 29.10.2020 photobucket.com
 29.10.2020 istockphoto.com
 29.10.2020 skin.gs
 28.10.2020 plos.org
 28.10.2020 audiusa.com
 28.10.2020 um.es
 28.10.2020 bpjs-kesehatan.go.id
 28.10.2020 dooda.me

  Latest Blog Posts

26.10.2020 by _r00t1ng_
Bypass Addslashes using Multibyte Character
26.10.2020 by _r00t1ng_
One Payload to Inject them all - MultiQuery Injection
26.10.2020 by _r00t1ng_
Routed SQL Injection
26.10.2020 by _r00t1ng_
DIOS the SQL Injectors Weapon
26.10.2020 by p4c3n0g3
How to find AngularJS XSS

  Recent Recommendations

@MizoueShumpei     29 October, 2020
    Twitter MizoueShumpei:
Thank you very much for your help.
@adridder     28 October, 2020
    Twitter adridder:
Thank you for your help with this XSS vulnerability on our site. We appreciate the responsible reporting via openbugbounty.
@gaborvitez     28 October, 2020
    Twitter gaborvitez:
Ajaysen R found a reflected cross site scripting bug in one of our cgi scripts, this way he helped us improve the security of our website. He was really fast to react, working with him was really a pleasure. We are grateful for the issues he made us aware of.
@Jobe1986     28 October, 2020
    Twitter Jobe1986:
Thank you for your efforts and reporting the XSS vulnerability you found on my website.
@TConfetti     28 October, 2020
    Twitter TConfetti:
Vighnesh Gupta was responsive and professional in helping us remediate a bug on our website. Thank you for your insight, Vighnesh.