Infosec Institute

Open Bug Bounty mentioned in the
Top 6 Bug Bounty programs of
2022 by the InfoSec Institute

The Hacker News

Open Bug Bounty named among the
Top 5 Bug Bounty programs of 2021
by The Hacker News

Platform update: please use our new authentication mechanism to securely use the Open Bug Bounty Platform.
For security researchers
Report a Vulnerability
Submit, help fixing, get kudos.
For website owners
Start a Bug Bounty
Run your bounty program for free.
1,722,214 coordinated disclosures
1,391,894 fixed vulnerabilities
2,014 bug bounty programs, 3,932 websites
48,641 researchers, 1,657 honor badges

FAQ for Researchers

What kind of vulnerabilities can I report?

Currently, there are two different types of vulnerability reports that you can submit to the Open Bug Bounty project:

1. Vulnerabilities for a hosted bug bounty program in compliance with its specific guidelines available on the bug bounty page. Please note that some dangerous types of vulnerabilities (e.g. SQL injections or RCEs) must be sent directly to the bug bounty owner’s email available on the bug bounty page.

2. XSS and some other types of web application vulnerabilities for any websites if the vulnerabilities were detected by non-intrusive means as prescribed by our guidelines.

How long does it take to verify a reported vulnerability?

We do our best to verify vulnerabilities as soon as possible, depending on the volume and other factors. However, being a non-profit project, we have limited resources and cannot provide instant verification. Usually, verification of XSS and some other uncomplicated vulnerabilities take up to 5 days. More sophisticated vulnerabilities, such as Improper Access Control, may take up to 10 days. We appreciate your patience.

How do I get remunerated for reported vulnerabilities?

First, please note that, as a non-profit project, Open Bug Bounty does not pay any bounties and does not charge website owners anything for hosting their bug bounty programs and triage.

Second, for any hosted bug bounty program, the program owner shall pay security researcher directly for valid vulnerability reports made in compliance with the bug bounty guidelines available on its page. Not all bug bounty owners offer monetary payments as a remuneration, some may offer gifts or other signs of appreciation, please read bug bounty guidelines carefully.

Third, for all other vulnerability reports made in compliance with our by non-intrusive testing guidelines for website having no hosted bug bounty program, the website owners have absolutely no obligation to pay you. This is a volunteering work to make Internet a safer place, to help security researchers improving their application security testing skills, and to enhance researchers’ CVs with recommendations and proven experience. To maximize the value you deliver to website owners by reporting vulnerabilities and thereby to maximize your chances to get an award, consider the following:

Do not report vulnerabilities on small, dysfunctional or abandoned websites that visibly do not care about their security.

Do offer your help in amicable and friendly manner to actually help fixing the vulnerability in polite and respectful manner.

Do not talk about remuneration before the vulnerability is actually fixed. After, you may politely ask whether the website owner wishes to give you a recommendation on your researcher’s profile or express any other form of appreciation of your efforts. The less pushy and more collaborative you are, the higher your chances are to get a better reward. If you are looking for certainty of remuneration, then focus on hosted bug bounty programs.

What if a hosted bug bounty owner does not pay me?

If after submitting a valid vulnerability report in compliance with a hosted bug bounty program guidelines, its owner refuses to pay you in accordance with the guidelines, please send us all the details for review. Do not send confidential or personal information. If the bug bounty owner refuses to pay you in bad faith and in violation of its own remuneration guidelines, its bug bounty program may be permanently suspended.

What can I do if my vulnerability report is rejected?

Please attentively review our vulnerability submission guidelines. As per our statistics, 99.9% of rejected vulnerabilities either belong to a class of vulnerabilities that we do not accept (e.g. SQL injections or misconfigured HTTP headers) or cannot be easily reproduced. Being a non-profit project, we cannot spend our hours reading multi-page reports and trying to reproduce the vulnerability. If you are certain and confident that the submitted vulnerability is in full compliance with the guidelines, please contact us, we usually try to reply within one week.

Where can I get help if I have other questions?

First, please carefully read about the Open Bug Bounty Project and then search our forum: most questions have been already answered there. If your question is general and does not contain any confidential or personal information, please always use our forum to ask it, so other users can also answer or get answers to their future questions. If after carefully reviewing the forum you still cannot get the answer, please contact us, we usually try to reply within one week.

FAQ for Website Owners

Important: if you own a hosted bug bounty program, please refer to the FAQ for Bug Bounty Owners below.

What can I do after receiving a report about vulnerability affecting my website?

Please reach out to the researcher and ask for the vulnerability details so you can patch it. Importantly, make sure that the vulnerability notification was sent from email address: all other domains have no affiliation with the Open Bug Bounty project, you can ignore any emails coming from them.

What can I do if I cannot contact a researcher who reported a vulnerability?

All researchers are required to have a their email available on their profile. If the after several attempts to contact the researcher, you hear nothing, please contact us and we will try to resolve the situation as soon as possible.

Am I required to pay anything to a researcher who reported a vulnerability?

You are not required to pay anything, however, if the researcher helped fixing the vulnerability, you can always write a short recommendation to his or her profile to demonstrate your appreciation of the time and efforts. If the researcher’s report and subsequent help were valuable for your organization, you may also consider making a token gift, such as t-shirt, Amazon gift card or a small payment via PayPal.

Can researchers demand a payment in exchange for vulnerability details?

No, researchers must not demand anything in exchange for vulnerability details, this a direct violation of our guidelines on ethics and may lead to permanent suspension of the researcher’s account. Please always contact us to report any violations of the guidelines, and we will try to resolve the situation as soon as possible.

FAQ for Bug Bounty Owners

What kind of hosted bug bounty programs do you offer?

We offer managed bug bounty programs for individual website owners, companies and organizations. We also do vulnerability triage for XSS and some other types of vulnerabilities, so you will get only verified and valid findings. For dangerous types of vulnerabilities (e.g. SQL injections or RCEs) you are required to provide your own contact details, so researchers can send you their reports directly. For confidentiality reasons, we do not store or process such reports.

How much does it cost to host a bug bounty program?

The Open Bug Bounty is a non-profit project aimed at making Internet a safer place. Therefore, all bug bounty programs and related triage activities (please see above) are provided at no cost. We never charge any fees.

What are the requirements to setup a bug bounty program?

Please login to the Platform and then create your bug bounty program by carefully filling out all the fields (please see below).

How can I get more vulnerability reports of better quality?

To motivate skilled security researchers to submit high-quality vulnerabilities that you are interested in, consider adding the following to your bug bounty description:

As detailed and specific information as possible about the permitted scope of testing and accepted types of vulnerabilities.

Clear and precise information on the remuneration for all types of findings that you wish to remunerate.

Reliable contact information so researchers can reach out to you in case of any questions.

What is the suggested remuneration for vulnerabilities?

While some of the hosted bug bounties merely offer small gifts, such as Amazon gift cards, the best way to attract talented researchers to your bug bounty program is to offer monetary payment for valid vulnerabilities. While Google may offer up to $7,500 for an XSS vulnerability, you are certainly not required to pay the same amount. For example, an average payment for a valid XSS may be between $30 and $150. The most important thing to consider is, however, how you treat the researcher: respectful and prompt reply with a modest remuneration is oftentimes preferred to a long and impolite communication followed with a bigger payment.

  Latest Patched


  Latest Blog Posts

04.12.2023 by BAx99x
Unmasking the Power of Cross-Site Scripting (XSS): Types, Exploitation, Detection, and Tools
04.12.2023 by a13h1_
$1120: ATO Bug in Twitter’s
04.12.2023 by ClumsyLulz
How I found a Zero Day in W3 Schools
04.12.2023 by 24bkdoor
Hack the Web like a Pirate: Identifying Vulnerabilities with Style
04.12.2023 by 24bkdoor
Navigating the Bounty Seas with Open Bug Bounty

  Recent Recommendations

    4 June, 2024
Researcher reported public Docker local env file, no security breach but this file should not be publicly available, thanks SYPltd.
    4 June, 2024
Researcher reported public local env Docker file, no security breach but file should not be publicly available, thank you SYPltd.
    29 May, 2024
It was the first time for us that we received a report about openbugbounty. The researcher reported a demo dockerfile on our website. No security breach but it's not "professionnal" to see this kind of file on a website.
Thank you SYPltd
    28 May, 2024
Thank you very much for your support and uncovering the vulnerabilities.
    28 May, 2024
Thank you very much for your support and uncovering the vulnerabilities.