Open Bug Bounty selected among the
Top 5 Bug Bounty programs to watch
in 2021 by The Hacker News

For security researchers
Report a Vulnerability
Submit, help fixing, get kudos.
For website owners
Start a Bug Bounty
Run your bounty program for free.
832,050 coordinated disclosures
466,889 fixed vulnerabilities
1277 bug bounties with 2,435 websites
21,710 researchers, 1280 honor badges Bug Bounty Program runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between and researchers.

Bug bounty program allow private submissions only.

Bug Bounty Scope

The following websites are within the scope of the program:


Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

We appreciate all reports that can help strengthen and optimize our systems. Our policies:

* If the report is a duplicate, we will deal with the person who submitted the report first.
* We prioritize and reward reports based on our grading of severity and reach.
* Automated reports such as ones which require specific user action to trigger, DMARC headers, ratelimiting registration/recovery policies we appreciate, but will not qualify for a reward.

Testing Requirements:

We work with whitehat researchers only. Our policies:

* If you wish to run any automated scanning or tools, please request our approval prior to doing so.
* If you believe you have found a bug, please test it and provide evidence using your test-accounts only (contact us if you need test accounts).
* Steps to reproduce/demonstration should be shared privately with our team only, so we have an opportunity to fix.

Possible Awards:

We provide up to $100 paid via Paypal only (or digital games/giftcards) per non-intrusive bug disclosed. Our policies:

* Bugs we are aware of will only be rewarded to the person who submitted the report first.
* Similar bugs which can be triggered in multiple different ways/places will only be considered one bug.

The award amount will be based on how we grade the bug. Low severity or low reach will likely not qualify for a reward. For example:

* Severity means the type of data exposure, or risk to our system integrity.
* Reach means the size of the bug. Does it impact no users, individual users or all users.

For example a bug which impacts only individual users who perform an unlikely set of actions will likely be low-reach and low-severity and receive no reward. A bug which impacts individual users without them doing any action might be graded low-reach and medium-severity and receive up to $30 reward. A bug which impacts all users automatically might be graded high-reach and high-severity and receive up to a $100 reward.

Other Submissions Handling

Website owner want to receive information about other vulnerabilities


Please submit all bugs privately to our team (via email) along with any evidence or steps to reproduce. You can expect a response within 48 hours for any legitimate reports.

Please ensure you follow the requirements outlined such as getting our approval prior to testing, and only using test-accounts you have created.

Our email is: host [at]

General Requirements:

Same general requirements as-above apply.

Testing Requirements:

Same testing requirements as-above apply.

Possible Awards:

Same awards as-above apply, but with a max reward of $300.

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

Response Time  Information How quickly researchers get responses to their submissions.
Remediation Time  Information How quickly reported submissions are fixed.
Cooperation and Respect  Information How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched


  Latest Blog Posts

10.02.2021 by Renzi25031469
Sysadminotaur nº88
10.02.2021 by Open Bug Bounty
Higher Submissions Quality Standard
25.12.2020 by _Y000_
How to bypass mod_security (WAF)
10.12.2020 by _Y000_
sql injection to bypass Mod_Security
10.12.2020 by _Y000_
Create encoded sql payloads

  Recent Recommendations

@_mrjd0g_     4 March, 2021
    Twitter _mrjd0g_:
Thank you for the report and responding so quickly to our request for more information, it helped us track the issue down and fix it. Appreciate the work you do.
@_lhordd     3 March, 2021
    Twitter _lhordd:
Thanks for helping me with the flaws in my site. The best work i’ve ever seen.
@_Kkommi     3 March, 2021
    Twitter _Kkommi:
Thanks for reporting xss in my site.
@_Kkommi     3 March, 2021
    Twitter _Kkommi:
@CERT_rlp     1 March, 2021
    Twitter CERT_rlp:
The team of CERT-rlp would like to thank Cyber_India for a responsible and coordinated disclosure of vulnerabilities.