Open Bug Bounty selected among the
Top 5 Bug Bounty programs to watch
in 2021 by The Hacker News

For security researchers
Report a Vulnerability
Submit, help fixing, get kudos.
For website owners
Start a Bug Bounty
Run your bounty program for free.
1,114,038 coordinated disclosures
707,266 fixed vulnerabilities
1,461 bug bounty programs, 2,921 websites
25,725 researchers, 1,379 honor badges

QRD Bug Bounty Program

QRD runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of QRD

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between QRD and researchers.

Bug bounty program allow private and public submissions.

Bug Bounty Scope

The following websites are within the scope of the program:


Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

We will strictly follow the rules and scopes of the openbugbounty project.

1/ Vulnerabilities accepted

Accepted, in-scope vulnerabilities include, but are not limited to:

- Cross Site Scripting (XSS) - CAUTION: we accept only XSS attacks that can steal a session or alter a victim's account. We do not accept XSS findings that just cause open redirects.
- Injection vulnerabilities
- Broken Authentication and Session Management
- Remote Code Execution
- Insecure Direct Object Reference
- Sensitive Data Exposure
- Security Misconfiguration
- Missing Function Level Access Control
- Using Components with Known Vulnerabilities
- Directory/Path transversal
- Exposed credentials
- Out of scope vulnerabilities

2/ Out-of-scope

Certain vulnerabilities are considered out-of-scope for the Responsible Disclosure Program. Those out-of-scope vulnerabilities include, but are not limited to:

- Cross Site Scripting (XSS) that just cause open redirects.
- Social Engineering attacks
- Account enumeration using brute-force attacks
- Weak password policies and password complexity requirements
- Missing http security headers which do not lead to a vulnerability
- Reports from automated tools or scans
- Presence of autocomplete attribute on web forms
- Missing cookie flags on non-sensitive cookies
- Reports of SSL/TLS issues, best practices or insecure ciphers
- Test versions of applications
- Mail configuration issues including SPF, DKIM, DMARC settings
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Rate limiting or bruteforce issues on non-authentication endpoints
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies
- Vulnerabilities only affecting users of outdated or unpatched browsers
- Software version disclosure / Banner identification issues
- Tabnabbing
- Open redirects
- Issues that require unlikely user interaction
- Solutions affected by known CVEs published less than 30 days ago

Testing Requirements:

Any assistance on reproducing the issue in our end will be appreciated.

Possible Awards:

We will do our best to be honest, fair and proportional here. Only critical vulnerabilities that have been resolved might receive an award and it is a solely decission by QRD.

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

Response Time  Information How quickly researchers get responses to their submissions.
Remediation Time  Information How quickly reported submissions are fixed.
Cooperation and Respect  Information How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched


  Latest Blog Posts

11.11.2021 by mistry4592
The Most used Chrome Extensions are Used For Penetration Testing.
08.10.2021 by NNeuchi
How I Found My First Bug Reflected Xss On PIA.GOV.PH(Philippine Information Agency)
26.08.2021 by PyaePhyoThu98
eG Manager v7.1.2: Improper Access Control lead to Remote Code Execution (CVE-2020-8591)
14.07.2021 by Open Bug Bounty
Interview With Open Bug Bounty
25.05.2021 by 0xrocky
Google XSS Game

  Recent Recommendations

@chrisbeach     27 November, 2021
    Twitter chrisbeach:
Thanks very much for reporting a bug in my website
@HR4YOU_AG     23 November, 2021
    Twitter HR4YOU_AG:
Thanks H_chabik for reporting an issue with our website!
@skyynet_de     19 November, 2021
    Twitter skyynet_de:
Thanks for informing me about a general PHP malfunction which could be used to scam people on my website.
@sandovs     19 November, 2021
    Twitter sandovs:
Cyber_World helped us by pointing out some log files that shouldn't be public! Thank you for the responsible disclosure and cordiality during the whole process!
@bjdean     17 November, 2021
    Twitter bjdean:
Very helpful and responsive to questions. Thanks for the report.