Open Bug Bounty Community helped fix 244,382 vulnerabilities
 Coordinated and Responsible Vulnerability Disclosure Free Bug Bounty Program 456,365 coordinated disclosures
244,382 fixed vulnerabilities
604 bug bounties with 1224 websites
12,321 researchers, 962 honor badges

Open Bug Bounty for Security Researchers

Open Bug Bounty for Website Owners

Project History

Started by a group of independent security researchers in June 2014, Open Bug Bounty is a non-profit platform designed to connect security researchers and website owners in a transparent, respectful and mutually valuable manner. Our purpose is to make the Web a safer place for everyone’s benefit.

We have no financial or commercial interest in the project. Moreover, we pay hosting expenses and web development costs from our pocket, and spend our nights verifying new submissions.

Coordinated and Responsible Disclosure, ISO 29147

Open Bug Bounty’s coordinated vulnerability disclosure platform allows any security researcher reporting a vulnerability on any website as long as the vulnerability is discovered without any intrusive testing techniques and is submitted following responsible disclosure guidelines.

The role of Open Bug Bounty is limited to independent verification of the submitted vulnerabilities and proper notification of website owners by all available means. Once notified, the website owner and the researcher are in direct contact to remediate the vulnerability and coordinate its disclosure. At this and at any later stages, we never act as an intermediary between website owners and security researchers.

Open Bug Bounty platform follows ISO 29147 standard's (“Information technology -- Security techniques -- Vulnerability disclosure”) guidelines of ethical and coordinated disclosure. As per the standard, Open Bug Bounty pursues the following goals of vulnerability disclosure:

ensuring that identified vulnerabilities are addressed;

minimizing the risk from vulnerabilities;

providing sufficient information to evaluate risks from vulnerabilities to their systems;

setting expectations to promote positive communication and coordination among involved parties.

As a global vulnerability disclosure Coordinator, Open Bug Bounty also serves the following non-profit roles as suggested by ISO 29147 in the vulnerability disclosure process:

act as a trusted liaison between the involved parties (researchers and website owners);

coordinate responsible disclosure;

enable communication between the involved parties;

provide a forum where experts from different organizations can collaborate.

Risk level of the submitted vulnerabilities is scored using Common Vulnerability Scoring System (CVSS).

Submitted vulnerabilities are classified by Common Weakness Enumeration (CWE).

Safe and Non-Intrusive Testing

We only accept Cross-Site Scripting, CSRF and some other vulnerabilities that figure among the most common web application vulnerabilities today.

When reporting GDPR PII exposure, we do not store the PII but the blurred screenshot after verifying the vulnerability.

The proper process of testing for these vulnerabilities is harmless and cannot damage a website, database, server or related infrastructure. We do not accept vulnerabilities that can, or are intended to, harm a website, its data or related infrastructure.

Open Bug Bounty prohibits reporting of vulnerabilities that were detected by vulnerability scanners and other automated tools that may impact website performance or cause any other negative impact.

Submission and Verification Process

Once a vulnerability is reported and confirmed, we immediately send a security alert to the website owner following ISO 29147 guidelines, as well as to specific security contacts provided by the researcher. We strongly encourage security researchers to ensure reliable notification of the website owner for every submission.

Security researchers can publicly disclose technical details of the vulnerabilities they report if they wish to do so. However, in order to give website owners appropriate time to remediate the vulnerability without putting any undue pressure on them, technical details can be disclosed only in 90 days from the original submission, or in 30 days if the vulnerability is patched..

To avoid spam and other potential inconvenience, we limit reporting to one vulnerability per domain per 24 hours. Every recipient of notifications sent can unsubscribe from any further notifications.

Open Bug Bounty: Public and Private Submissions

Security researcher can choose how to report vulnerabilities. Website owners with bug bounties on Open Bug Bounty can limit submissions only to private ones:

  • Public Submission
    Once verified, we send notifications, without disclosing any technical details of the vulnerability, to:

Verified website owner (condition to exiting bug bounty)

Generic security emails

Emails suggested by ISO 29147

Emails provided by the researcher

Security emails found on the website (if any)

Website owner accounts in social networks.

A public web page dedicated to the vulnerability will be automatically created, however no technical details will be displayed on it. At this stage, a website owner, administrator or security company in charge of the website security can contact the researcher directly and proceed to coordinated disclosure.

  • Private Submission
    After verification, the vulnerability will be available on a secret hyperlink known only to the security researcher and website owner if s/he runs a bug bounty on Open Bug Bounty. The vulnerability will not be used in any detailed statistics or lists on the website (the total counter of submissions will increment). Private submission serves to (a) provide flexible Vulnerability Disclosure Program to website owners, and (b) to report vulnerabilities on websites running external bug bounty program, but refusing to reward a researcher for a reason. Our independent and impartial verification proves that the vulnerability existed at a precise timestamp, giving a fair discovery credit to the researcher. Same as public submissions, private submission can be disclosed by the researcher on the aforementioned conditions.

For both types of submissions, security researcher can delete the vulnerability submission at any time before public disclosure of the vulnerability details. However, once disclosed, the submission can no longer be deleted to prevent undue pressure on the researchers. We never remove any information about vulnerabilities for political or business reasons.

Bounties and Awards

A website owner can express a gratitude to a researcher for reporting vulnerability in a way s/he considers the most appropriate and proportional to the researcher's efforts and help.

We encourage website owners to say at least a “thank you” to the researcher or write a brief recommendation in the researcher’s profile. There is, however, absolutely no obligation or duty to express a gratitude in any manner. We promote positive, constructive and mutually respectful communications between website owners and security researchers.

On the platform, researchers get various honorary badges for quality of their submissions and the number of websites they helped to secure. We always encourage quality, not quantity of submissions.

Good Faith and Ethics

We have a zero tolerance policy for any unethical or unlawful activities.

We always encourage the researchers to be respectful, responsive and polite, to provide website owners with all reasonable help and assistance.

If a researcher violates the enacted standards of ethics and good faith including but not limited to:

  • demanding something to delete a submission
  • refusing to share vulnerability details with a website owner without remuneration

such submissions will be immediately deleted from our platform. Website owners running bug bounties and not rewarding the researchers as stipulated in their bug bounty description may have their bug bounty deleted from our platform.

Available Integration

For website owners, we provide vulnerability data export option to the following SDLC, DevOps and bug tracking systems:

  Bugzilla

  Splunk

  JIRA

  Mantis

  Latest Patched

 23.10.2019 gramha.net
 23.10.2019 deskgram.net
 22.10.2019 jpnn.com
 22.10.2019 iphoneitalia.com
 22.10.2019 biggo.com.tw
 22.10.2019 you2repeat.com
 21.10.2019 bfmtv.com
 21.10.2019 carbon38.com
 21.10.2019 register.it
 21.10.2019 business-standard.com

  Latest Blog Posts

17.10.2019 by 0xrocky
Stored XSS
17.10.2019 by geeknik
The "S" in IOT is for Security
16.10.2019 by darknetguy
Best XSS Vectors
01.10.2019 by Renzi25031469
#Security 100%
18.09.2019 by Leon
SSRF | Reading Local Files from DownNotifier server

  Recent Recommendations

    23 October, 2019
     rendkul:
thanks for informing us about xss vulnerability.
    23 October, 2019
     raviakp1004:
Thanks for letting us know about this XSS vulnerability. We appreciate the quick feedback.
    23 October, 2019
     Mrrain_1996:
Thank you a lot for the information and the support on fixing the issue! Very friendly and kind contact.
    23 October, 2019
     faizan_mark:
Thank you a lot for the information and the support on fixing the issue! Very friendly and kind contact.
    22 October, 2019
     BountyNeuvoo:
Dear,

Thank you for participating in our responsible disclosure program.

You helped us to solve a security vulnerability by informing us directly and delivering comprehensible examples.

We greatly appreciate your assistance in helping us maintain the security of our services.

Best regards