Our Security Community helped fix 122,440 vulnerabilities

Coordinated Disclosure Verified Alerts 229,678 coordinated disclosures
122,439 fixed vulnerabilities
185,478 websites, 16,786 VIP websites
6,198 researchers, 6,915 subscribers

Project History

Started by a group of independent security researchers in June 2014, Open Bug Bounty is a non-profit platform designed to connect security researchers and website owners in a transparent, respectful and mutually valuable manner. Our purpose is to make the Web a safer place for everyone’s benefit.

We have no financial or commercial interest in the project. Moreover, we pay hosting expenses and web development costs from our pocket, and spend our nights verifying new submissions.

Coordinated and Responsible Disclosure, ISO 29147

Open Bug Bounty’s coordinated vulnerability disclosure platform allows any security researcher reporting a vulnerability on any website as long as the vulnerability is discovered without any intrusive testing techniques and is submitted following responsible disclosure guidelines.

The role of Open Bug Bounty is limited to independent verification of the submitted vulnerabilities and proper notification of website owners by all available means. Once notified, the website owner and the researcher are in direct contact to remediate the vulnerability and coordinate its disclosure. At this and at any later stages, we never act as an intermediary between website owners and security researchers.

Open Bug Bounty platform follows ISO 29147 standard's (“Information technology -- Security techniques -- Vulnerability disclosure”) guidelines of ethical and coordinated disclosure. As per the standard, Open Bug Bounty pursues the following goals of vulnerability disclosure:

ensuring that identified vulnerabilities are addressed;

minimizing the risk from vulnerabilities;

providing sufficient information to evaluate risks from vulnerabilities to their systems;

setting expectations to promote positive communication and coordination among involved parties.

As a global vulnerability disclosure Coordinator, Open Bug Bounty also serves the following non-profit roles as suggested by ISO 29147 in the vulnerability disclosure process:

act as a trusted liaison between the involved parties (researchers and website owners);

coordinate responsible disclosure;

enable communication between the involved parties;

provide a forum where experts from different organizations can collaborate.

Risk level of the submitted vulnerabilities is scored using Common Vulnerability Scoring System (CVSS).

Submitted vulnerabilities are classified by Common Weakness Enumeration (CWE).

Safe and Non-Intrusive Testing

We only accept Cross-Site Scripting, CSRF and some other vulnerabilities that figure among the most common web application vulnerabilities today.

The proper process of testing for these vulnerabilities is harmless and cannot damage a website, database, server or related infrastructure. We do not accept vulnerabilities that can, or are intended to, harm a website, its data or related infrastructure.

Open Bug Bounty prohibits reporting of vulnerabilities that were detected by vulnerability scanners and other automated tools that may impact website performance or cause any other negative impact.

Submission and Verification Process

Once a vulnerability is reported and confirmed, we immediately send a security alert to the website owner following ISO 29147 guidelines, as well as to specific security contacts provided by the researcher. We strongly encourage security researchers to ensure reliable notification of the website owner for every submission.

Security researchers can publicly disclose technical details of the vulnerabilities they report if they wish to do so. However, in order to give website owners appropriate time to remediate the vulnerability without putting any undue pressure on them, technical details can be disclosed only in 90 days from the original submission, or in 30 days if the vulnerability is patched..

Proactive website owners and administrators can subscribe to free instant alerts and get customized notifications about any vulnerabilities detected on their websites. To avoid spam and other potential inconvenience, we limit reporting to one vulnerability per domain per 24 hours. Every recipient of notifications sent can unsubscribe from any further notifications.

Open Bug Bounty: Public and Private Submissions

Security researcher can choose how to report vulnerabilities. Website owners with bug bounties on Open Bug Bounty can limit submissions only to private ones:

  • Public Submission
    Once verified, we send notifications, without disclosing any technical details of the vulnerability, to:

Verified website owner (condition to exiting bug bounty)

Generic security emails

Emails suggested by ISO 29147

Emails provided by the researcher

Security emails found on the website (if any)

Website owner accounts in social networks.

A public web page dedicated to the vulnerability will be automatically created, however no technical details will be displayed on it. At this stage, a website owner, administrator or security company in charge of the website security can contact the researcher directly and proceed to coordinated disclosure.

  • Private Submission
    After verification, the vulnerability will be available on a secret hyperlink known only to the security researcher and website owner if s/he runs a bug bounty on Open Bug Bounty. The vulnerability will not be used in any detailed statistics or lists on the website (the total counter of submissions will increment). Private submission serves to (a) provide flexible Vulnerability Disclosure Program to website owners, and (b) to report vulnerabilities on websites running external bug bounty program, but refusing to reward a researcher for a reason. Our independent and impartial verification proves that the vulnerability existed at a precise timestamp, giving a fair discovery credit to the researcher. Same as public submissions, private submission can be disclosed by the researcher on the aforementioned conditions.

For both types of submissions, security researcher can delete the vulnerability submission at any time before public disclosure of the vulnerability details. However, once disclosed, the submission can no longer be deleted to prevent undue pressure on the researchers. We never remove any information about vulnerabilities for political or business reasons.

Bounties and Awards

A website owner can express a gratitude to a researcher for reporting vulnerability in a way s/he considers the most appropriate and proportional to the researcher's efforts and help.

We encourage website owners to say at least a “thank you” to the researcher or write a brief recommendation in the researcher’s profile. There is, however, absolutely no obligation or duty to express a gratitude in any manner. We promote positive, constructive and mutually respectful communications between website owners and security researchers.

On the platform, researchers get various honorary badges for quality of their submissions and the number of websites they helped to secure. We always encourage quality, not quantity of submissions.

Good Faith and Ethics

We have a zero tolerance policy for any unethical or unlawful activities.

We always encourage the researchers to be respectful, responsive and polite, to provide website owners with all reasonable help and assistance.

If a researcher violates the enacted standards of ethics and good faith (e.g. demands something to delete a submission or refuses to share vulnerability details with the website owner), such submissions will be immediately deleted.

Researchers who violate the aforementioned rules and ethical guidelines may get suspended from the platform, up to a permanent ban. If you believe that a researcher violates the rules, please first talk to the researcher and try to resolve a possible misunderstanding. If the issue remains unresolved, please contact us.

Privacy and Security

We do not store, process or export any Personally Identifiable Information (PII) as defined in General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).

To avoid storing any user-related data, we use external authentication via Twitter for everyone on the website. Connection to the website is available via HTTPS only.

For privacy reasons, we also keep no logs of any activities of website owners or security researchers.

Terms and Conditions

Open Bug Bounty reserves the right to reject any Open Bug Bounty Program for any reason in its sole discretion.

Open Bug Bounty may terminate any Researcher's or Website Owner's access to and use of the Open Bug Bounty Platform, at Open Bug Bounty's sole discretion, at any time and without notice to the Researcher or Website Owner.

The site may contain links to third-party websites or resources. Open Bug Bounty provides these links only as a convenience and is not responsible for the content, products or services on or available from those websites or resources or links displayed on such websites. Researcher or Website Owner acknowledges sole responsibility for and assumes all risk arising from Researcher's or Website Owner's use of any third-party websites or resources.



  Latest VIP Submissions

tour.ne.jp
Reported by metamorfosec Helped patch 26 vulnerabilities
Received 2 Coordinated Disclosure badges
Received 3 recommendations
on 21.06.2018
thepetitionsite.com
Reported by OmniGooch Helped patch 2224 vulnerabilities
Received 5 Coordinated Disclosure badges
Received 8 recommendations
on 21.06.2018
allposters.com
Reported by OmniGooch Helped patch 2224 vulnerabilities
Received 5 Coordinated Disclosure badges
Received 8 recommendations
on 21.06.2018
netsarang.com
Reported by ELProfesor Helped patch 748 vulnerabilities
Received 6 Coordinated Disclosure badges
Received 36 recommendations
on 20.06.2018
massaget.kz
Reported by ELProfesor Helped patch 748 vulnerabilities
Received 6 Coordinated Disclosure badges
Received 36 recommendations
on 20.06.2018
gurufocus.com
Reported by ELProfesor Helped patch 748 vulnerabilities
Received 6 Coordinated Disclosure badges
Received 36 recommendations
on 20.06.2018
onlineserieswatch.com
Reported by ELProfesor Helped patch 748 vulnerabilities
Received 6 Coordinated Disclosure badges
Received 36 recommendations
on 20.06.2018
hoc24.vn
Reported by ELProfesor Helped patch 748 vulnerabilities
Received 6 Coordinated Disclosure badges
Received 36 recommendations
on 20.06.2018
freeadult.games
Reported by ELProfesor Helped patch 748 vulnerabilities
Received 6 Coordinated Disclosure badges
Received 36 recommendations
on 20.06.2018
movie-wiki.net
Reported by ELProfesor Helped patch 748 vulnerabilities
Received 6 Coordinated Disclosure badges
Received 36 recommendations
on 20.06.2018



  Latest Submissions

gacc.nifc.gov
Reported by Cyberanteater Helped patch 0 vulnerabilities
Received 0 Coordinated Disclosure badges
on 21.06.2018
galleryjapan.com
Reported by metamorfosec Helped patch 26 vulnerabilities
Received 2 Coordinated Disclosure badges
Received 3 recommendations
on 21.06.2018
freetradeireland.ie
Reported by malwrforensics Helped patch 33 vulnerabilities
Received 1 Coordinated Disclosure badges
on 21.06.2018
gmstudios.de
Reported by SecuNinja Helped patch 1595 vulnerabilities
Received 11 Coordinated Disclosure badges
Received 54 recommendations
on 21.06.2018
publica.upc.edu
Reported by metamorfosec Helped patch 26 vulnerabilities
Received 2 Coordinated Disclosure badges
Received 3 recommendations
on 21.06.2018
asprocergs.com.br
Reported by JVZI07 Helped patch 0 vulnerabilities
Received 0 Coordinated Disclosure badges
on 21.06.2018
www4.sisproasp.com.br
Reported by JVZI07 Helped patch 0 vulnerabilities
Received 0 Coordinated Disclosure badges
on 21.06.2018
cursovirtual.fundacaounimed.org.br
Reported by JVZI07 Helped patch 0 vulnerabilities
Received 0 Coordinated Disclosure badges
on 21.06.2018
kagi.net
Reported by metamorfosec Helped patch 26 vulnerabilities
Received 2 Coordinated Disclosure badges
Received 3 recommendations
on 21.06.2018
touroperator.com.br
Reported by JVZI07 Helped patch 0 vulnerabilities
Received 0 Coordinated Disclosure badges
on 21.06.2018