Infosec Institute

Open Bug Bounty mentioned in the
Top 6 Bug Bounty programs of
2022 by the InfoSec Institute

The Hacker News

Open Bug Bounty named among the
Top 5 Bug Bounty programs of 2021
by The Hacker News

Platform update: please use our new authentication mechanism to securely use the Open Bug Bounty Platform.
For security researchers
Report a Vulnerability
Submit, help fixing, get kudos.
For website owners
Start a Bug Bounty
Run your bounty program for free.
1,647,947 coordinated disclosures
1,296,509 fixed vulnerabilities
1,895 bug bounty programs, 3,774 websites
42,012 researchers, 1,626 honor badges

MASG Bug Bounty Program

MASG runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of MASG

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between MASG and researchers.

Bug bounty program allow private submissions only.

Bug Bounty Scope

The following websites are within the scope of the program:

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

Proof of Concept (PoC): Submissions must include a clear and replicable Proof of Concept. This can be in the form of a detailed textual explanation or a script that demonstrates the vulnerability without causing harm.

Screenshots: Please provide screenshots that document the vulnerability. These should capture the steps taken to identify the issue and highlight the potential impact.

Remediation Options: Alongside the vulnerability report, propose potential remediation measures or mitigations. We appreciate detailed suggestions tailored to our WordPress-hosted environment.

Server and Application-Level Testing: Ensure that your testing covers both server-side and application-level issues, taking into account the nuances of our WordPress infrastructure. This includes, but is not limited to, plugin vulnerabilities, theme weaknesses, and core WordPress security checks.

Confidentiality: Any information about discovered vulnerabilities must remain confidential between the reporter and our organization until we have resolved the issue.

Testing Requirements:

No Social Engineering: Do not employ any form of social engineering against our employees, customers, or infrastructure.

Non-Destructive Testing: Your testing must be non-intrusive and non-destructive. Please refrain from uploading shells, writing to the database, or altering content.

Throttled Scanning: Automated scanning tools must be configured to a low intensity to prevent any disruption to our services.

No Disruption of Service: Do not perform actions that could lead to denial-of-service conditions, degradation of user experience, or any form of service disruption.

Possible Awards:

For vulnerabilities that meet our program guidelines, we offer financial rewards ranging from $50 to $100. The exact amount will be determined based on the severity and impact of the vulnerability identified. We are also open to arranging an ongoing engagement with security researchers to perform routine testing of our digital assets.

Special Notes:

Our platform is hosted on WordPress, which comes with its specific set of common vulnerabilities that we are particularly interested in addressing. We expect researchers to have a nuanced approach to testing WordPress installations, including themes, plugins, and core functionality. Researchers should prioritize identifying vulnerabilities that could lead to unauthorized data access, privilege escalation, or server compromise. Your findings will contribute significantly to our continuous effort to secure our digital presence and protect our users.

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

Response Time  Information How quickly researchers get responses to their submissions.
Remediation Time  Information How quickly reported submissions are fixed.
Cooperation and Respect  Information How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched


  Latest Blog Posts

04.12.2023 by BAx99x
Unmasking the Power of Cross-Site Scripting (XSS): Types, Exploitation, Detection, and Tools
04.12.2023 by a13h1_
$1120: ATO Bug in Twitter’s
04.12.2023 by ClumsyLulz
How I found a Zero Day in W3 Schools
04.12.2023 by 24bkdoor
Hack the Web like a Pirate: Identifying Vulnerabilities with Style
04.12.2023 by 24bkdoor
Navigating the Bounty Seas with Open Bug Bounty

  Recent Recommendations

    23 November, 2023
Grace à Hatim_cf on a pu corrigé une faille mineure de sécurité.
    22 November, 2023
On behalf of our users on one of the pages hosted at, I'd like to thank Niko for his effort in finding and responsibly reporting an XSS vuln in one of our user's sites. The XSS was quickly patched after Niko's detailed report making the web a safer place again. Thanks!
    22 November, 2023
Ronald identified an XSS vulnerability on our site which could be fixed fast. Thanks for the provided information!
    4 November, 2023
Thank you for fixing the XSS vulnerability
    13 October, 2023
I am highly recommending Sajid for web assessments and penetrating testing. Sajid was highly professional and detailed in t heir approach towards finding vulnerabilities.