Currently, there are two different types of vulnerability reports that you can submit to the Open Bug Bounty project:

1. Vulnerabilities for a hosted bug bounty program in compliance with its specific guidelines available on the bug bounty page. Please note that some dangerous types of vulnerabilities (e.g. SQL injections or RCEs) must be sent directly to the bug bounty owner’s email available on the bug bounty page.

2. XSS and some other types of web application vulnerabilities for any websites if the vulnerabilities were detected by non-intrusive means as prescribed by our guidelines.

We do our best to verify vulnerabilities as soon as possible, depending on the volume and other factors. However, being a non-profit project, we have limited resources and cannot provide instant verification. Usually, verification of XSS and some other uncomplicated vulnerabilities take up to 5 days. More sophisticated vulnerabilities, such as Improper Access Control, may take up to 10 days. We appreciate your patience.

First, please note that, as a non-profit project, Open Bug Bounty does not pay any bounties and does not charge website owners anything for hosting their bug bounty programs and triage.

Second, for any hosted bug bounty program, the program owner shall pay security researcher directly for valid vulnerability reports made in compliance with the bug bounty guidelines available on its page. Not all bug bounty owners offer monetary payments as a remuneration, some may offer gifts or other signs of appreciation, please read bug bounty guidelines carefully.

Third, for all other vulnerability reports made in compliance with our by non-intrusive testing guidelines for website having no hosted bug bounty program, the website owners have absolutely no obligation to pay you. This is a volunteering work to make Internet a safer place, to help security researchers improving their application security testing skills, and to enhance researchers’ CVs with recommendations and proven experience. To maximize the value you deliver to website owners by reporting vulnerabilities and thereby to maximize your chances to get an award, consider the following:

Do not report vulnerabilities on small, dysfunctional or abandoned websites that visibly do not care about their security.

Do offer your help in amicable and friendly manner to actually help fixing the vulnerability in polite and respectful manner.

Do not talk about remuneration before the vulnerability is actually fixed. After, you may politely ask whether the website owner wishes to give you a recommendation on your researcher’s profile or express any other form of appreciation of your efforts. The less pushy and more collaborative you are, the higher your chances are to get a better reward. If you are looking for certainty of remuneration, then focus on hosted bug bounty programs.

If after submitting a valid vulnerability report in compliance with a hosted bug bounty program guidelines, its owner refuses to pay you in accordance with the guidelines, please send us all the details for review. Do not send confidential or personal information. If the bug bounty owner refuses to pay you in bad faith and in violation of its own remuneration guidelines, its bug bounty program may be permanently suspended.

Please attentively review our vulnerability submission guidelines. As per our statistics, 99.9% of rejected vulnerabilities either belong to a class of vulnerabilities that we do not accept (e.g. SQL injections or misconfigured HTTP headers) or cannot be easily reproduced. Being a non-profit project, we cannot spend our hours reading multi-page reports and trying to reproduce the vulnerability. If you are certain and confident that the submitted vulnerability is in full compliance with the guidelines, please contact us, we usually try to reply within one week.

First, please carefully read about the Open Bug Bounty Project and then search our forum: most questions have been already answered there. If your question is general and does not contain any confidential or personal information, please always use our forum to ask it, so other users can also answer or get answers to their future questions. If after carefully reviewing the forum you still cannot get the answer, please contact us, we usually try to reply within one week.

Please reach out to the researcher and ask for the vulnerability details so you can patch it. Importantly, make sure that the vulnerability notification was sent from @openbugbounty.org email address: all other domains have no affiliation with the Open Bug Bounty project, you can ignore any emails coming from them.

All researchers are required to have a twitter account and their email available on their profile. If the after several attempts to contact the researcher, you hear nothing, please contact us and we will try to resolve the situation as soon as possible.

You are not required to pay anything, however, if the researcher helped fixing the vulnerability, you can always write a short recommendation to his or her profile to demonstrate your appreciation of the time and efforts. If the researcher’s report and subsequent help were valuable for your organization, you may also consider making a token gift, such as t-shirt, Amazon gift card or a small payment via PayPal.

No, researchers must not demand anything in exchange for vulnerability details, this a direct violation of our guidelines on ethics and may lead to permanent suspension of the researcher’s account. Please always contact us to report any violations of the guidelines, and we will try to resolve the situation as soon as possible.

We offer managed bug bounty programs for individual website owners, companies and organizations. We also do vulnerability triage for XSS and some other types of vulnerabilities, so you will get only verified and valid findings. For dangerous types of vulnerabilities (e.g. SQL injections or RCEs) you are required to provide your own contact details, so researchers can send you their reports directly. For confidentiality reasons, we do not store or process such reports.

The Open Bug Bounty is a non-profit project aimed at making Internet a safer place. Therefore, all bug bounty programs and related triage activities (please see above) are provided at no cost. We never charge any fees.

Please login to the Platform with your Twitter account and then create your bug bounty program by carefully filling out all the fields (please see below).

To motivate skilled security researchers to submit high-quality vulnerabilities that you are interested in, consider adding the following to your bug bounty description:

As detailed and specific information as possible about the permitted scope of testing and accepted types of vulnerabilities.

Clear and precise information on the remuneration for all types of findings that you wish to remunerate.

Reliable contact information so researchers can reach out to you in case of any questions.

While some of the hosted bug bounties merely offer small gifts, such as Amazon gift cards, the best way to attract talented researchers to your bug bounty program is to offer monetary payment for valid vulnerabilities. While Google may offer up to $7,500 for an XSS vulnerability, you are certainly not required to pay the same amount. For example, an average payment for a valid XSS may be between $30 and $150. The most important thing to consider is, however, how you treat the researcher: respectful and prompt reply with a modest remuneration is oftentimes preferred to a long and impolite communication followed with a bigger payment.