Our Security Community helped fix 101,416 vulnerabilities

Report Email Alerts 172,811 coordinated disclosures
101,416 fixed vulnerabilities
142,251 websites, 14,151 VIP websites
4,885 researchers, 6,123 subscribers

Project History

Started by a group of independent security researchers in June 2014, Open Bug Bounty is a non-profit project designed to connect security researchers and website owners in a transparent, respectful and mutually valuable manner. The purpose of the project is to make the Web a safer place for everyone’s benefit.

We have no financial or commercial interest in the project. Moreover, we pay hosting expenses and web development costs from our pocket, and spend our nights verifying new submissions.

Coordinated and Responsible Disclosure, ISO 29147

Open Bug Bounty’s coordinated vulnerability disclosure program allows any security researcher reporting a vulnerability on any website as long as the vulnerability is discovered without using intrusive testing techniques and following responsible disclosure guidelines.

Open Bug Bounty Platform is based on the guidelines of ISO 29147 “Information technology -- Security techniques -- Vulnerability disclosure”. As defined in the standard, the goals of vulnerability disclosure include the following:

  • ensuring that identified vulnerabilities are addressed;
  • minimizing the risk from vulnerabilities;
  • providing sufficient information to evaluate risks from vulnerabilities to their systems;
  • setting expectations to promote positive communication and coordination among involved parties.

Our role is strictly limited to independent verification of the vulnerabilities and proper notification of website owners by all available means. Once notified, the website owner and the researcher are in direct contact to remediate the vulnerability and coordinate its disclosure. At this and at any later stages, we never act as an intermediary between website owners and security researchers.

As a global vulnerability disclosure Coordinator, Open Bug Bounty serves the following non-profit roles as suggested by ISO 29147 in the vulnerability disclosure process:

  • act as a trusted liaison between the involved parties (researchers and website owners);
  • coordinate responsible disclosure;
  • enable communication between the involved parties;
  • provide a forum where experts from different organizations can collaborate.

Bounties and Awards

A website owner can express a gratitude to researcher for reporting the vulnerability in a way s/he considers the most appropriate and proportional to the researcher's efforts and help.

We encourage website owners to say at least a “thank you” to the researcher or write a recommendation in the researcher’s profile. There is, however, no obligation or duty to express a gratitude in any manner. We promote positive, constructive and mutually respectful communications between website owners and security researchers.

On the platform, researchers get various honorary badges for quality of their submissions and the number of websites they helped to secure. We always encourage quality, not quantity of submissions.

Non-Intrusive Testing

We only accept Cross-Site Scripting, CSRF and some other vulnerabilities that figure among the most common web application vulnerabilities today.

The proper process of testing for these vulnerabilities is harmless and cannot damage a website, database, server or related infrastructure. We do not accept vulnerabilities that can, or are intended to, harm a website, its data or related infrastructure.

Risk Scoring and Vulnerability Classification

Risk level of the submitted vulnerabilities is scored using the globally accepted standard of Common Vulnerability Scoring System (CVSS).

The submitted vulnerabilities are classified by the globally accepted standard of Common Weakness Enumeration (CWE).

Coordinated and Responsible Disclosure

Once a vulnerability is reported and confirmed, we immediately send a security alert to the website owner following ISO 29147 guidelines, as well as to specific security contacts provided by the researcher. We strongly encourage security researchers to ensure reliable notification of the website owner for every submission.

Security researchers can publicly disclose technical details of the vulnerabilities they report if they wish to do so. However, in order to give website owners appropriate time to remediate the vulnerability without putting any undue pressure on them, technical details can be disclosed only in 90 days from the original submission, or in 30 days if the vulnerability is patched..

Proactive website owners and administrators can subscribe to free instant alerts and get customized notifications about any vulnerabilities detected on their websites. To avoid spam and other potential inconvenience, we limit reporting to one vulnerability per domain per 24 hours. Every recipient of notifications sent can unsubscribe from any further notifications.

Open Bug Bounty: Public and Private Submissions

Security researcher can choose how to report vulnerabilities:

  • Public Submission
    Once verified, we send notifications, without disclosing any technical details of the vulnerability, to:

    • Subscribers (learn more)
    • Generic security emails
    • Emails suggested by ISO 29147
    • Emails provided by the researcher
    • Security emails found on the website (if any)
    • Website owner accounts in social networks.

    A web page dedicated to the vulnerability will be created, however no technical details will be displayed on it. At this stage, a website owner, administrator or security company in charge of website security can contact the researcher directly and proceed to coordinated disclosure. Once patched, the vulnerability page may be deleted by the researcher at his, or her, own discretion.

  • Private Submission
    After verification, the vulnerability will be available on a secret hyperlink known only to the security researcher. The vulnerability will not be used in any statistics or lists on the website. Private submission is done to report vulnerabilities on websites running an official bug bounty program, but refusing to reward a researcher for hilarious reasons such as being unable to reproduce the vulnerability, or claiming that the submission is a duplicate. Our independent and impartial verification proves that the vulnerability existed at a precise timestamp, giving a fair discovery credit to the researcher.

A security researcher can delete his, or her, vulnerability submission at any time before public disclosure of the vulnerability details within the timelines mentioned above. However, once disclosed, the submission can no longer be deleted to prevent pressure on the researchers. We never remove any information about vulnerabilities for political or business reasons.

Good Faith and Ethics

We have a zero tolerance policy for any unethical activities around submissions.

If researcher's behavior violates the enacted standards of ethics and good faith (e.g. demanding something to delete a submission), such submissions will be immediately deleted and the researcher profile may be suspended.

Privacy and Security

We do not store, process or export any Personally Identifiable Information (PII) as defined in General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).

To avoid storing any user-related data, we use external authentication via Twitter for everyone on the website. Connection to the website is available via HTTPS only.

For privacy reasons, we also keep no logs of any activities of website owners or security researchers.



LATEST VIP SUBMISSIONS

eduhk.hk
Reported by JT__- Helped patch 54 vulnerabilities
Received 3 Coordinated Disclosure badges
on 24.02.2018
century21.com
Reported by tbm Helped patch 1777 vulnerabilities
Received 7 Coordinated Disclosure badges
Received 3 recommendations
on 24.02.2018
caffeinamagazine.it
Reported by mertcanesen Helped patch 8 vulnerabilities
Received 1 Coordinated Disclosure badges
on 24.02.2018
har.com
Reported by tbm Helped patch 1777 vulnerabilities
Received 7 Coordinated Disclosure badges
Received 3 recommendations
on 24.02.2018
redfin.com
Reported by tbm Helped patch 1777 vulnerabilities
Received 7 Coordinated Disclosure badges
Received 3 recommendations
on 24.02.2018
norma-online.de
Reported by ELProfesor Helped patch 321 vulnerabilities
Received 4 Coordinated Disclosure badges
Received 20 recommendations
on 24.02.2018
ams.at
Reported by ELProfesor Helped patch 321 vulnerabilities
Received 4 Coordinated Disclosure badges
Received 20 recommendations
on 24.02.2018
cv.ee
Reported by ELProfesor Helped patch 321 vulnerabilities
Received 4 Coordinated Disclosure badges
Received 20 recommendations
on 24.02.2018
stj.jus.br
Reported by fubr Helped patch 1323 vulnerabilities
Received 7 Coordinated Disclosure badges
Received 31 recommendations
on 24.02.2018
inria.fr
Reported by ELProfesor Helped patch 321 vulnerabilities
Received 4 Coordinated Disclosure badges
Received 20 recommendations
on 24.02.2018



LATEST SUBMISSIONS

fotodb.de
Reported by Implosion Helped patch 755 vulnerabilities
Received 5 Coordinated Disclosure badges
Received 22 recommendations
on 24.02.2018
fileshare.beck-planungsbuero.de
Reported by Implosion Helped patch 755 vulnerabilities
Received 5 Coordinated Disclosure badges
Received 22 recommendations
on 24.02.2018
binder-consulting.de
Reported by Implosion Helped patch 755 vulnerabilities
Received 5 Coordinated Disclosure badges
Received 22 recommendations
on 24.02.2018
heilpraktiker-verband-saar.de
Reported by Implosion Helped patch 755 vulnerabilities
Received 5 Coordinated Disclosure badges
Received 22 recommendations
on 24.02.2018
upload.lokales-kassel.de
Reported by Implosion Helped patch 755 vulnerabilities
Received 5 Coordinated Disclosure badges
Received 22 recommendations
on 24.02.2018
vw-dresden.de
Reported by Implosion Helped patch 755 vulnerabilities
Received 5 Coordinated Disclosure badges
Received 22 recommendations
on 24.02.2018
vfib-ev.de
Reported by Implosion Helped patch 755 vulnerabilities
Received 5 Coordinated Disclosure badges
Received 22 recommendations
on 24.02.2018
medienhaus-brandenburger.de
Reported by Implosion Helped patch 755 vulnerabilities
Received 5 Coordinated Disclosure badges
Received 22 recommendations
on 24.02.2018
vicoverzekeringen.nl
Reported by Implosion Helped patch 755 vulnerabilities
Received 5 Coordinated Disclosure badges
Received 22 recommendations
on 24.02.2018
vrp-multicartes.fr
Reported by Implosion Helped patch 755 vulnerabilities
Received 5 Coordinated Disclosure badges
Received 22 recommendations
on 24.02.2018