Our Security Community helped fix 43205 vulnerabilities

Report Email Alerts Open Bug Bounty: 138,053 coordinated disclosures
Total Vulnerabilities Fixed: 43,205
140,260 vulnerable websites, 14,994 VIP websites
3,370 security researchers, 4,390 notification subscribers

Purpose and History

Started by a group of security researchers and enthusiasts in June 2014, Open Bug Bounty is a non-profit project designed to connect security researchers and website owners in a transparent and open manner. The main purpose of the project is to make the World Wide Web a safer place without putting unreasonable or excessive costs on website owners.

We firmly believe that bug bounty programs should be open for everyone who wishes to help, provide equality, transparency and fair discovery credit to the researchers, and assure responsible vulnerability disclosure.

Open Bug Bounty

Open Bug Bounty’s coordinated vulnerability disclosure program allows any security researcher to report a vulnerability on any website discovered without using intrusive testing techniques and following responsible disclosure guidelines.

Our role is strictly limited to independent verification of the reports and proper notification of website owners by all available means. Once notified, the website owner and the researcher are in direct contact to patch the vulnerability and coordinate its disclosure. At this and at any later stages, we never act as an intermediary between website owners and security researchers.

Every website owner can express a gratitude to the researcher in a way s/he considers the most appropriate and proportional to the researcher's efforts and help. We encourage website owners to say at least a “thank you” to the researcher or write a recommendation in researcher’s profile. There is, however, absolutely no obligation or duty to express a gratitude. We promote positive, constructive and respectful communications between website owners and security researchers.

The researchers get various prizes for quality of their submissions and number of websites they help to secure. We always encourage quality, not quantity of the submissions.

We have no financial or commercial interest in the project. Moreover, we pay hosting expenses and web development from our pocket, and spend our nights verifying new submissions to make Web safer.

Non-Intrusive Testing

We only accept Cross-Site Scripting, CSRF and some other vulnerabilities that figure among the most common web application vulnerabilities today. The proper process of testing for these vulnerabilities is harmless and cannot damage a website, database, server or related infrastructure. We do not accept vulnerabilities that can, or are intended to, harm a website.

Coordinated and Responsible Disclosure

When a vulnerability is reported and verified, we send a brief notification to all generic security contacts of the website owner, as well as to specific security contacts provided by the researcher. We strongly encourage security researchers to assure the most reliable notification of website owner for every submission.

Security researchers can publicly disclose technical details of the vulnerabilities they report if they wish to do so. However, in order to give website owners appropriate time to remediate the vulnerability without putting any undue pressure on them, technical details can be disclosed only in 90 days since the original submission, or in 30 days if the vulnerability is patched.

Proactive website owners and administrators can subscribe to free instant alerts and get customized notifications about any vulnerabilities detected on their websites. To avoid spam and other potential inconveniences, we allow reporting only one vulnerability per domain per 24 hours. Every recipient of notifications sent can definitely unsubscribe from any further notifications.

Open Bug Bounty: Public and Private

Security researcher can chose how to report the vulnerabilities:

  • Public Submission
    Once verified, we send notifications, without disclosing any technical details of the vulnerability, to:

    • Subscribers (learn more)
    • Generic security emails
    • Emails found on the website (if any)
    • Emails provided by the researcher (if any)
    • Website owner accounts in social networks.

    A web page dedicated to the vulnerability will be created, however no technical details will be displayed on it. At this stage, website owner, administrator or security company in charge of the website security shall contact the researcher directly and proceed to coordinated disclosure. Once patched, the vulnerability page may be deleted by researcher at his, or her, own discretion.

  • Private Submission
    After verification, the vulnerability will be available on a secret hyperlink known only to the security researcher. The vulnerability will not be used in any statistics or lists on the website. This is done to report vulnerabilities on websites running official bug bounty program, but refusing to reward researcher for hilarious reasons, like being unable to reproduce the vulnerability, or saying that the submission is a duplicate. Our independent and impartial verification proves that the vulnerability existed at a precise timestamp, giving a fair discovery credit to the researcher.

A security researcher can delete his, or her, vulnerability submission at any time before public disclosure of the vulnerability details within the timeline mentioned above. However, once disclosed, the submission cannot be deleted anymore to prevent pressure on the researchers. We never remove any information about vulnerabilities for political or business reasons.

We have tolerance zero policy for any unethical activities around submissions. If researcher's behavior borders with extortion (e.g. demanding something to delete a submission), such submissions will be immediately deleted.

Privacy and Security

To avoid storing any user-related data, we use external authentication via Twitter for everyone on the website. Connection to the website is available via HTTPS only.

For privacy reasons, we also keep no logs of any activities of website owners or security researchers.



LATEST VIP SUBMISSIONS

allbeauty.com
Reported by Random_Robbie Twitter: @Random_Robbie
Badges received: 7
Recommendations received: 27
Total reports: 6678
Total reports on VIP sites: 914
Total patched vulnerabilities: 603
on 25.07.2017
uspto.gov
Reported by keritzy Twitter: @keritzy
Badges received: 2
Total reports: 1555
Total reports on VIP sites: 138
Total patched vulnerabilities: 74
on 25.07.2017
bournemouthecho.co.uk
Reported by Random_Robbie Twitter: @Random_Robbie
Badges received: 7
Recommendations received: 27
Total reports: 6678
Total reports on VIP sites: 914
Total patched vulnerabilities: 603
on 25.07.2017
plymouthherald.co.uk
Reported by Random_Robbie Twitter: @Random_Robbie
Badges received: 7
Recommendations received: 27
Total reports: 6678
Total reports on VIP sites: 914
Total patched vulnerabilities: 603
on 25.07.2017
ub.edu
Reported by Random_Robbie Twitter: @Random_Robbie
Badges received: 7
Recommendations received: 27
Total reports: 6678
Total reports on VIP sites: 914
Total patched vulnerabilities: 603
on 25.07.2017
ykt.ru
Reported by OmniGooch Badges received: 5
Recommendations received: 3
Total reports: 4091
Total reports on VIP sites: 345
Total patched vulnerabilities: 655
on 25.07.2017
nu.edu.bd
Reported by OmniGooch Badges received: 5
Recommendations received: 3
Total reports: 4091
Total reports on VIP sites: 345
Total patched vulnerabilities: 655
on 25.07.2017
camsoda.com
Reported by Clova Badges received: 0
Total reports: 1
Total reports on VIP sites: 1
Total patched vulnerabilities: 0
on 25.07.2017
vdict.com
Reported by OmniGooch Badges received: 5
Recommendations received: 3
Total reports: 4091
Total reports on VIP sites: 345
Total patched vulnerabilities: 655
on 25.07.2017
gamestar.hu
Reported by OmniGooch Badges received: 5
Recommendations received: 3
Total reports: 4091
Total reports on VIP sites: 345
Total patched vulnerabilities: 655
on 25.07.2017



LATEST SUBMISSIONS

rap-fr.fr
Reported by Implosion Badges received: 3
Recommendations received: 18
Total reports: 1449
Total reports on VIP sites: 57
Total patched vulnerabilities: 237
on 25.07.2017
blogheim.at
Reported by secuninja Badges received: 3
Recommendations received: 17
Total reports: 2066
Total reports on VIP sites: 138
Total patched vulnerabilities: 346
on 25.07.2017
nhac.vui.vn
Reported by Random_Robbie Twitter: @Random_Robbie
Badges received: 7
Recommendations received: 27
Total reports: 6678
Total reports on VIP sites: 914
Total patched vulnerabilities: 603
on 25.07.2017
skruvat.fi
Reported by Random_Robbie Twitter: @Random_Robbie
Badges received: 7
Recommendations received: 27
Total reports: 6678
Total reports on VIP sites: 914
Total patched vulnerabilities: 603
on 25.07.2017
farmasiburada.com
Reported by Random_Robbie Twitter: @Random_Robbie
Badges received: 7
Recommendations received: 27
Total reports: 6678
Total reports on VIP sites: 914
Total patched vulnerabilities: 603
on 25.07.2017
itservicesthatworkforyou.com
Reported by Random_Robbie Twitter: @Random_Robbie
Badges received: 7
Recommendations received: 27
Total reports: 6678
Total reports on VIP sites: 914
Total patched vulnerabilities: 603
on 25.07.2017
eldexmall.co.kr
Reported by Random_Robbie Twitter: @Random_Robbie
Badges received: 7
Recommendations received: 27
Total reports: 6678
Total reports on VIP sites: 914
Total patched vulnerabilities: 603
on 25.07.2017
ballantynes.co.nz
Reported by Random_Robbie Twitter: @Random_Robbie
Badges received: 7
Recommendations received: 27
Total reports: 6678
Total reports on VIP sites: 914
Total patched vulnerabilities: 603
on 25.07.2017
george.org.za
Reported by Random_Robbie Twitter: @Random_Robbie
Badges received: 7
Recommendations received: 27
Total reports: 6678
Total reports on VIP sites: 914
Total patched vulnerabilities: 603
on 25.07.2017
wwbuying.com
Reported by Random_Robbie Twitter: @Random_Robbie
Badges received: 7
Recommendations received: 27
Total reports: 6678
Total reports on VIP sites: 914
Total patched vulnerabilities: 603
on 25.07.2017