Open Bug Bounty selected among the
Top 5 Bug Bounty programs to watch
in 2021 by The Hacker News

For security researchers
Report a Vulnerability
Submit, help fixing, get kudos.
For website owners
Start a Bug Bounty
Run your bounty program for free.
822,112 coordinated disclosures
463,865 fixed vulnerabilities
1274 bug bounties with 2,431 websites
21,640 researchers, 1280 honor badges

  Please, login via Twitter first




Start Bug Bounty Program in 5 Easy Steps. It's Free!

Start Bug Bounty Program in 5 Easy Steps

Why Starting a Bug Bounty Program?

Starting your bug bounty program at Open Bug Bounty is free and brings you the following benefits:

  • Get instant notifications about new vulnerabilities on your website
  • Keep your bug bounty program and all new submissions private if you prefer
  • Customize testing and submission requirements for the researchers
  • Award those security researchers who follow your guidelines
  • Prevent data breaches and secure your website users

Bug Bounty Program

Open Bug Bounty allows any verified website owners to run a bug bounty for their websites at no cost. The purpose of this non-profit activity is to make relations between website owners and security researchers sustainable and mutually beneficial in a long-term prospective.

Starting a bug bounty is free and open to everyone. Once logged in via Twitter, you can create your bug bounty program in a few minutes and get unlimited access to our security researchers. Once a vulnerability is reported, you will get instant notification to coordinate disclosure and remediation with researcher.

Open Bug Bounty does triage and verification of the submissions. However, we never intervene to the further process of your communication with the researchers, vulnerability remediation and disclosure. Once a vulnerability is verified and reported to you, our role in coordinated disclosure process is over.

For website owners, we provide vulnerability data export option to the following SDLC, DevOps and bug tracking systems:

  Bugzilla

  Splunk

  JIRA

  Mantis

General

Please carefully fill-in the form below to launch your bug bounty:

Information This will be a name under which your bug bounty will be displayed. Please use meaningful and relevant name to better guide the researchers.

Please read about type of vulnerability submissions and select the best one for you:

  Information Researchers will be able to submit both private and public submissions.
  Information Researchers will be able to submit private submissions only.

Information We will send notifications for domains from your scope to these email addresses. We do not share these email addresses with anybody.

Bug Bounty Scope

You will need to confirm your website ownership by placing a special security.txt file on it:

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

Please specify your Vulnerability Disclosure Program requirements. They will be displayed to security researchers:

Information Please specify technical or any other reasonable requirements for submissions (e.g. exclusion of self-XSS). Information Please specify any special requirements for testing methodologies (e.g. restriction to use vulnerability scanners). Information Please specify which rewards you may provide to the researchers who follow the above-mentioned requirements (e.g. recommendation in researcher's profile, mention in a Hall of Fame or something more valuable proportional to the researcher's efforts). Information Anything else you would like to bring to the attention of researchers community.

Other Submissions Handling

Open Bug Bounty does not accept security vulnerabilities that may require some sort of intrusive testing to be detected (e.g. SQL injection). Therefore, we do not accept, verify or store them on our platform. Nevertheless, as a website owner, you can specify how and where to report them if ever you wish them to be reported.



Information Please specify where and how (e.g. email) these vulnerabilities may be sent. Information You can provide your public PGP key here to encrypt the notifications sent via a method you specify above. Information Please specify technical or any other reasonable requirements for submissions (e.g. exclusion of self-XSS). Information Please specify any special requirements for testing methodologies (e.g. restriction to use vulnerability scanners). Information Please specify which rewards you may provide to the researchers who follow the above-mentioned requirements (e.g. recommendation in researcher's profile, mention in a Hall of Fame or something more valuable proportional to the researcher's efforts). Information Anything else you would like to bring to the attention of researchers community.

Need Any Help?

Need any help or have any questions about the bug bounty? Get in touch or use the community forum is here to help!

  Latest Patched

 01.03.2021 ani.lady.am
 01.03.2021 uoguelph.ca
 01.03.2021 h2o-china.com
 01.03.2021 matfaq.ru
 01.03.2021 coflein.gov.uk
 28.02.2021 k24tv.co.ke
 28.02.2021 wine-searcher.com
 28.02.2021 0xxx.ws

  Latest Blog Posts

10.02.2021 by Renzi25031469
Sysadminotaur nº88
10.02.2021 by Open Bug Bounty
Higher Submissions Quality Standard
25.12.2020 by _Y000_
How to bypass mod_security (WAF)
10.12.2020 by _Y000_
sql injection to bypass Mod_Security
10.12.2020 by _Y000_
Create encoded sql payloads

  Recent Recommendations

@CERT_rlp     1 March, 2021
    Twitter CERT_rlp:
The team of CERT-rlp would like to thank Cyber_India for a responsible and coordinated disclosure of vulnerabilities
@CERT_rlp     1 March, 2021
    Twitter CERT_rlp:
The team of CERT-rlp would like to thank devl00p for a responsible and coordinated disclosure of XSS vulnerabilities
@kNHrpaG66ZaoOcS     26 February, 2021
    Twitter kNHrpaG66ZaoOcS:
Thanks for contacting us about the vulnerability issue.
We've fixed it without any problems.
Thanks for your cooperation and quick response.
Best Regards,
@bb_tw4     25 February, 2021
    Twitter bb_tw4:
Cyber_India informed us via OpenBugBounty about a problem on our Website. Very responsible. Thank you very much!
@HR4YOU_AG     25 February, 2021
    Twitter HR4YOU_AG:
Thanks to @cyber_pramod for reporting an issue with our homepage! Very nice contact!