Our Security Community helped fix 80,798 vulnerabilities

Report Email Alerts Open Bug Bounty: 179,023 coordinated disclosures
Total Vulnerabilities Fixed: 80,798
168,857 vulnerable websites, 16,329 VIP websites
4,101 security researchers, 5,510 notification subscribers

Purpose and History

Started by a group of security researchers and enthusiasts in June 2014, Open Bug Bounty is a non-profit project designed to connect security researchers and website owners in a transparent and open manner. The main purpose of the project is to make the World Wide Web a safer place without putting unreasonable or excessive costs on website owners.

We firmly believe that bug bounty programs should be open for everyone who wishes to help, provide equality, transparency and fair discovery credit to the researchers, and assure responsible vulnerability disclosure.

Open Bug Bounty

Open Bug Bounty’s coordinated vulnerability disclosure program allows any security researcher to report a vulnerability on any website, as long as the vulnerability is discovered without using intrusive testing techniques and following responsible disclosure guidelines.

Our role is strictly limited to independent verification of the reports and proper notification of website owners by all available means. Once notified, the website owner and the researcher are in direct contact to patch the vulnerability and coordinate its disclosure. At this and at any later stages, we never act as an intermediary between website owners and security researchers.

A website owner can express a gratitude to the researcher in a way s/he considers the most appropriate and proportional to the researcher's efforts and help. We encourage website owners to say at least a “thank you” to the researcher or write a recommendation in the researcher’s profile. There is, however, absolutely no obligation or duty to express a gratitude. We promote positive, constructive and respectful communications between website owners and security researchers.

The researchers get various prizes for quality of their submissions and the number of websites they help to secure. We always encourage quality, not quantity of submissions.

We have no financial or commercial interest in the project. Moreover, we pay hosting expenses and web development costs from our pocket, and spend our nights verifying new submissions to make the Web safer.

Non-Intrusive Testing

We only accept Cross-Site Scripting, CSRF and some other vulnerabilities that figure among the most common web application vulnerabilities today. The proper process of testing for these vulnerabilities is harmless and cannot damage a website, database, server or related infrastructure. We do not accept vulnerabilities that can, or are intended to, harm a website.

Coordinated and Responsible Disclosure

When a vulnerability is reported and verified, we send a brief notification to all generic security contacts of the website owner, as well as to specific security contacts provided by the researcher. We strongly encourage security researchers to ensure reliable notification of the website owner for every submission.

Security researchers can publicly disclose technical details of the vulnerabilities they report if they wish to do so. However, in order to give website owners appropriate time to remediate the vulnerability without putting any undue pressure on them, technical details can be disclosed only in 90 days from the original submission, or in 30 days if the vulnerability is patched..

Proactive website owners and administrators can subscribe to free instant alerts and get customized notifications about any vulnerabilities detected on their websites. To avoid spam and other potential inconvenience, we limit reporting to one vulnerability per domain per 24 hours. Every recipient of notifications sent can unsubscribe from any further notifications.

Open Bug Bounty: Public and Private

Security researcher can choose how to report vulnerabilities:

  • Public Submission
    Once verified, we send notifications, without disclosing any technical details of the vulnerability, to:

    • Subscribers (learn more)
    • Generic security emails
    • Emails found on the website (if any)
    • Emails provided by the researcher (if any)
    • Website owner accounts in social networks.

    A web page dedicated to the vulnerability will be created, however no technical details will be displayed on it. At this stage, a website owner, administrator or security company in charge of website security can contact the researcher directly and proceed to coordinated disclosure. Once patched, the vulnerability page may be deleted by the researcher at his, or her, own discretion.

  • Private Submission
    After verification, the vulnerability will be available on a secret hyperlink known only to the security researcher. The vulnerability will not be used in any statistics or lists on the website. Private submission is done to report vulnerabilities on websites running an official bug bounty program, but refusing to reward a researcher for hilarious reasons such as being unable to reproduce the vulnerability, or claiming that the submission is a duplicate. Our independent and impartial verification proves that the vulnerability existed at a precise timestamp, giving a fair discovery credit to the researcher.

A security researcher can delete his, or her, vulnerability submission at any time before public disclosure of the vulnerability details within the timelines mentioned above. However, once disclosed, the submission can no longer be deleted to prevent pressure on the researchers. We never remove any information about vulnerabilities for political or business reasons.

We have a zero tolerance policy for any unethical activities around submissions. If researcher's behaviour borders on extortion (e.g. demanding something to delete a submission), such submissions will be deleted immediately.

Privacy and Security

To avoid storing any user-related data, we use external authentication via Twitter for everyone on the website. Connection to the website is available via HTTPS only.

For privacy reasons, we also keep no logs of any activities of website owners or security researchers.



LATEST VIP SUBMISSIONS

recordchina.co.jp
Reported by OmniGooch Helped patch 1256 vulnerabilities
Received 5 Coordinated Disclosure badges
Received 6 recommendations
on 23.11.2017
dzone.com
Reported by huntingforbug Helped patch 2 vulnerabilities
Received 1 Coordinated Disclosure badges
Received 1 recommendations
on 23.11.2017
kekanto.com.br
Reported by Vitmac Helped patch 13 vulnerabilities
Received 1 Coordinated Disclosure badges
Received 2 recommendations
on 23.11.2017
joaobidu.com.br
Reported by RootByte Helped patch 377 vulnerabilities
Received 3 Coordinated Disclosure badges
on 23.11.2017
listenonrepeat.com
Reported by huntingforbug Helped patch 2 vulnerabilities
Received 1 Coordinated Disclosure badges
Received 1 recommendations
on 22.11.2017
spareroom.co.uk
Reported by TAHA Helped patch 67 vulnerabilities
Received 2 Coordinated Disclosure badges
Received 10 recommendations
on 22.11.2017
vogue.it
Reported by retr0 Helped patch 1377 vulnerabilities
Received 6 Coordinated Disclosure badges
on 22.11.2017
anime-loads.org
Reported by retr0 Helped patch 1377 vulnerabilities
Received 6 Coordinated Disclosure badges
on 22.11.2017
autotriti.gr
Reported by eb Helped patch 668 vulnerabilities
Received 6 Coordinated Disclosure badges
Received 26 recommendations
on 22.11.2017
lovesvg.com
Reported by retr0 Helped patch 1377 vulnerabilities
Received 6 Coordinated Disclosure badges
on 22.11.2017



LATEST SUBMISSIONS

9rsm.com
Reported by OmniGooch Helped patch 1256 vulnerabilities
Received 5 Coordinated Disclosure badges
Received 6 recommendations
on 23.11.2017
kintera.org
Reported by OmniGooch Helped patch 1256 vulnerabilities
Received 5 Coordinated Disclosure badges
Received 6 recommendations
on 23.11.2017
dms.myflorida.com
Reported by malwrforensics Helped patch 15 vulnerabilities
Received 1 Coordinated Disclosure badges
on 23.11.2017
mapoartcenter.or.kr
Reported by OmniGooch Helped patch 1256 vulnerabilities
Received 5 Coordinated Disclosure badges
Received 6 recommendations
on 23.11.2017
zasadaauto.pl
Reported by OmniGooch Helped patch 1256 vulnerabilities
Received 5 Coordinated Disclosure badges
Received 6 recommendations
on 23.11.2017
optical88.com.hk
Reported by OmniGooch Helped patch 1256 vulnerabilities
Received 5 Coordinated Disclosure badges
Received 6 recommendations
on 23.11.2017
sectra.gob.cl
Reported by SabioHat Helped patch 0 vulnerabilities
Received 0 Coordinated Disclosure badges
on 23.11.2017
kekanto.com.co
Reported by Vitmac Helped patch 13 vulnerabilities
Received 1 Coordinated Disclosure badges
Received 2 recommendations
on 23.11.2017
kekanto.com.mx
Reported by Vitmac Helped patch 13 vulnerabilities
Received 1 Coordinated Disclosure badges
Received 2 recommendations
on 23.11.2017
kekanto.com.pe
Reported by Vitmac Helped patch 13 vulnerabilities
Received 1 Coordinated Disclosure badges
Received 2 recommendations
on 23.11.2017