Our Security Community helped fix 74,711 vulnerabilities

Report Email Alerts Open Bug Bounty: 152,832 coordinated disclosures
Total Vulnerabilities Fixed: 74,711
150,483 vulnerable websites, 15,469 VIP websites
3,727 security researchers, 5,210 notification subscribers

Purpose and History

Started by a group of security researchers and enthusiasts in June 2014, Open Bug Bounty is a non-profit project designed to connect security researchers and website owners in a transparent and open manner. The main purpose of the project is to make the World Wide Web a safer place without putting unreasonable or excessive costs on website owners.

We firmly believe that bug bounty programs should be open for everyone who wishes to help, provide equality, transparency and fair discovery credit to the researchers, and assure responsible vulnerability disclosure.

Open Bug Bounty

Open Bug Bounty’s coordinated vulnerability disclosure program allows any security researcher to report a vulnerability on any website, as long as the vulnerability is discovered without using intrusive testing techniques and following responsible disclosure guidelines.

Our role is strictly limited to independent verification of the reports and proper notification of website owners by all available means. Once notified, the website owner and the researcher are in direct contact to patch the vulnerability and coordinate its disclosure. At this and at any later stages, we never act as an intermediary between website owners and security researchers.

A website owner can express a gratitude to the researcher in a way s/he considers the most appropriate and proportional to the researcher's efforts and help. We encourage website owners to say at least a “thank you” to the researcher or write a recommendation in the researcher’s profile. There is, however, absolutely no obligation or duty to express a gratitude. We promote positive, constructive and respectful communications between website owners and security researchers.

The researchers get various prizes for quality of their submissions and the number of websites they help to secure. We always encourage quality, not quantity of submissions.

We have no financial or commercial interest in the project. Moreover, we pay hosting expenses and web development costs from our pocket, and spend our nights verifying new submissions to make the Web safer.

Non-Intrusive Testing

We only accept Cross-Site Scripting, CSRF and some other vulnerabilities that figure among the most common web application vulnerabilities today. The proper process of testing for these vulnerabilities is harmless and cannot damage a website, database, server or related infrastructure. We do not accept vulnerabilities that can, or are intended to, harm a website.

Coordinated and Responsible Disclosure

When a vulnerability is reported and verified, we send a brief notification to all generic security contacts of the website owner, as well as to specific security contacts provided by the researcher. We strongly encourage security researchers to ensure reliable notification of the website owner for every submission.

Security researchers can publicly disclose technical details of the vulnerabilities they report if they wish to do so. However, in order to give website owners appropriate time to remediate the vulnerability without putting any undue pressure on them, technical details can be disclosed only in 90 days from the original submission, or in 30 days if the vulnerability is patched..

Proactive website owners and administrators can subscribe to free instant alerts and get customized notifications about any vulnerabilities detected on their websites. To avoid spam and other potential inconvenience, we limit reporting to one vulnerability per domain per 24 hours. Every recipient of notifications sent can unsubscribe from any further notifications.

Open Bug Bounty: Public and Private

Security researcher can choose how to report vulnerabilities:

  • Public Submission
    Once verified, we send notifications, without disclosing any technical details of the vulnerability, to:

    • Subscribers (learn more)
    • Generic security emails
    • Emails found on the website (if any)
    • Emails provided by the researcher (if any)
    • Website owner accounts in social networks.

    A web page dedicated to the vulnerability will be created, however no technical details will be displayed on it. At this stage, a website owner, administrator or security company in charge of website security can contact the researcher directly and proceed to coordinated disclosure. Once patched, the vulnerability page may be deleted by the researcher at his, or her, own discretion.

  • Private Submission
    After verification, the vulnerability will be available on a secret hyperlink known only to the security researcher. The vulnerability will not be used in any statistics or lists on the website. Private submission is done to report vulnerabilities on websites running an official bug bounty program, but refusing to reward a researcher for hilarious reasons such as being unable to reproduce the vulnerability, or claiming that the submission is a duplicate. Our independent and impartial verification proves that the vulnerability existed at a precise timestamp, giving a fair discovery credit to the researcher.

A security researcher can delete his, or her, vulnerability submission at any time before public disclosure of the vulnerability details within the timelines mentioned above. However, once disclosed, the submission can no longer be deleted to prevent pressure on the researchers. We never remove any information about vulnerabilities for political or business reasons.

We have a zero tolerance policy for any unethical activities around submissions. If researcher's behaviour borders on extortion (e.g. demanding something to delete a submission), such submissions will be deleted immediately.

Privacy and Security

To avoid storing any user-related data, we use external authentication via Twitter for everyone on the website. Connection to the website is available via HTTPS only.

For privacy reasons, we also keep no logs of any activities of website owners or security researchers.



LATEST VIP SUBMISSIONS

gmanetwork.com
Reported by 0man_X_Hacker Helped patch 103 vulnerabilities
Received 3 Coordinated Disclosure badges
Received 2 recommendations
on 23.09.2017
tvguide.co.uk
Reported by JT__- Helped patch 2 vulnerabilities
Received 1 Coordinated Disclosure badges
on 23.09.2017
filmeonline2013.biz
Reported by login_denied Helped patch 56 vulnerabilities
Received 3 Coordinated Disclosure badges
Received 4 recommendations
on 23.09.2017
fdating.com
Reported by login_denied Helped patch 56 vulnerabilities
Received 3 Coordinated Disclosure badges
Received 4 recommendations
on 23.09.2017
elibrary.ru
Reported by login_denied Helped patch 56 vulnerabilities
Received 3 Coordinated Disclosure badges
Received 4 recommendations
on 23.09.2017
digitaljournal.com
Reported by login_denied Helped patch 56 vulnerabilities
Received 3 Coordinated Disclosure badges
Received 4 recommendations
on 23.09.2017
dayanzai.me
Reported by login_denied Helped patch 56 vulnerabilities
Received 3 Coordinated Disclosure badges
Received 4 recommendations
on 23.09.2017
nets.eu
Reported by M0r3h4x Helped patch 59 vulnerabilities
Received 2 Coordinated Disclosure badges
Received 1 recommendations
on 23.09.2017
smc.edu
Reported by M0r3h4x Helped patch 59 vulnerabilities
Received 2 Coordinated Disclosure badges
Received 1 recommendations
on 23.09.2017
triphobo.com
Reported by JT__- Helped patch 2 vulnerabilities
Received 1 Coordinated Disclosure badges
on 23.09.2017



LATEST SUBMISSIONS

femalenetwork.com
Reported by 0man_X_Hacker Helped patch 103 vulnerabilities
Received 3 Coordinated Disclosure badges
Received 2 recommendations
on 23.09.2017
bilstein-shop.com
Reported by rj01 Helped patch 471 vulnerabilities
Received 5 Coordinated Disclosure badges
Received 11 recommendations
on 23.09.2017
tuningmall.nl
Reported by rj01 Helped patch 471 vulnerabilities
Received 5 Coordinated Disclosure badges
Received 11 recommendations
on 23.09.2017
24parts.nl
Reported by rj01 Helped patch 471 vulnerabilities
Received 5 Coordinated Disclosure badges
Received 11 recommendations
on 23.09.2017
mevaker.gov.il
Reported by M0r3h4x Helped patch 59 vulnerabilities
Received 2 Coordinated Disclosure badges
Received 1 recommendations
on 23.09.2017
onefpa.org
Reported by M0r3h4x Helped patch 59 vulnerabilities
Received 2 Coordinated Disclosure badges
Received 1 recommendations
on 23.09.2017
nichd.nih.gov
Reported by M0r3h4x Helped patch 59 vulnerabilities
Received 2 Coordinated Disclosure badges
Received 1 recommendations
on 23.09.2017
brunei.gov.bn
Reported by M0r3h4x Helped patch 59 vulnerabilities
Received 2 Coordinated Disclosure badges
Received 1 recommendations
on 23.09.2017
omangrid.com
Reported by M0r3h4x Helped patch 59 vulnerabilities
Received 2 Coordinated Disclosure badges
Received 1 recommendations
on 23.09.2017
engage.sitrion.com
Reported by M0r3h4x Helped patch 59 vulnerabilities
Received 2 Coordinated Disclosure badges
Received 1 recommendations
on 23.09.2017