Our Security Community helped fix 41641 vulnerabilities

Report Email Alerts Open Bug Bounty: 136,958 coordinated disclosures
Total Vulnerabilities Fixed: 41,641
139,285 vulnerable websites, 14,992 VIP websites
3,357 security researchers, 4,387 notification subscribers

Purpose and History

Started by a group of security researchers and enthusiasts in June 2014, Open Bug Bounty is a non-profit project designed to connect security researchers and website owners in a transparent and open manner. The main purpose of the project is to make the World Wide Web a safer place without putting unreasonable or excessive costs on website owners.

We firmly believe that bug bounty programs should be open for everyone who wishes to help, provide equality, transparency and fair discovery credit to the researchers, and assure responsible vulnerability disclosure.

Open Bug Bounty

Open Bug Bounty’s coordinated vulnerability disclosure program allows any security researcher to report a vulnerability on any website discovered without using intrusive testing techniques and following responsible disclosure guidelines.

Our role is strictly limited to independent verification of the reports and proper notification of website owners by all available means. Once notified, the website owner and the researcher are in direct contact to patch the vulnerability and coordinate its disclosure. At this and at any later stages, we never act as an intermediary between website owners and security researchers.

Every website owner can express a gratitude to the researcher in a way s/he considers the most appropriate and proportional to the researcher's efforts and help. We encourage website owners to say at least a “thank you” to the researcher or write a recommendation in researcher’s profile. There is, however, absolutely no obligation or duty to express a gratitude. We promote positive, constructive and respectful communications between website owners and security researchers.

The researchers get various prizes for quality of their submissions and number of websites they help to secure. We always encourage quality, not quantity of the submissions.

We have no financial or commercial interest in the project. Moreover, we pay hosting expenses and web development from our pocket, and spend our nights verifying new submissions to make Web safer.

Non-Intrusive Testing

We only accept Cross-Site Scripting, CSRF and some other vulnerabilities that figure among the most common web application vulnerabilities today. The proper process of testing for these vulnerabilities is harmless and cannot damage a website, database, server or related infrastructure.

We do not accept vulnerabilities that can, or are intended to, harm a website.

Coordinated and Safe Disclosure

When a vulnerability is reported and verified, we send a brief notification to all generic security contacts of the website owner, as well as to specific security contacts provided by the researcher. We strongly encourage security researchers to assure the most reliable notification of website owner for every submission.

Security researchers can publicly disclose technical details of the vulnerabilities they report if they wish to do so. However, in order to give website owners appropriate time to remediate the vulnerability without putting any undue pressure on them, technical details can be disclosed only in 90 days since the original submission, or in 30 days if the vulnerability is patched.

Proactive website owners and administrators can subscribe to free instant alerts and get customized notifications about any vulnerabilities detected on their websites. To avoid spam and other potential inconveniences, we allow reporting only one vulnerability per domain per 24 hours. Every recipient of notifications sent can definitely unsubscribe from any further notifications.

Open Bug Bounty: Public and Private

Security researcher can chose how to report the vulnerabilities:

  • Public Submission
    Once verified, we send notifications, without disclosing any technical details of the vulnerability, to:

    • Subscribers (learn more)
    • Generic security emails
    • Emails found on the website (if any)
    • Emails provided by the researcher (if any)
    • Website owner accounts in social networks.

    A web page dedicated to the vulnerability will be created, however no technical details will be displayed on it. At this stage, website owner, administrator or security company in charge of the website security shall contact the researcher directly and proceed to coordinated disclosure. Once patched, the vulnerability page may be deleted by researcher at his, or her, own discretion.

  • Private Submission
    After verification, the vulnerability will be available on a secret hyperlink known only to the security researcher. The vulnerability will not be used in any statistics or lists on the website. This is done to report vulnerabilities on websites running official bug bounty program, but refusing to reward researcher for hilarious reasons, like being unable to reproduce the vulnerability, or saying that the submission is a duplicate. Our independent and impartial verification proves that the vulnerability existed at a precise timestamp, giving a fair discovery credit to the researcher.

A security researcher can delete his or her vulnerability submission at any time before public disclosure of the vulnerability details within the timeline mentioned above. However, once disclosed, the submission cannot be deleted anymore to prevent pressure on the researchers. We never remove any information about vulnerabilities for political or business reasons.

We have tolerance zero policy for any unethical activities around submissions. If researcher's behavior borders with extortion (e.g. demanding something to delete a submission), such submissions will be immediately deleted.

Privacy and Security

To avoid storing any user-related data, we use external authentication via Twitter for everyone on the website. Connection to the website is available via HTTPS only.

For privacy reasons, we also keep no logs of any activities of website owners or security researchers.



LATEST VIP SUBMISSIONS

calculator.net
Reported by OmniGooch Badges received: 9
Recommendations received: 3
Approved XSS vulnerabilities: 4058
Approved XSS vulnerabilities on VIP websites: 337
on 24.07.2017
greensock.com
Reported by eb Badges received: 6
Recommendations received: 11
Approved XSS vulnerabilities: 754
Approved XSS vulnerabilities on VIP websites: 41
on 24.07.2017
bigstockphoto.com
Reported by eb Badges received: 6
Recommendations received: 11
Approved XSS vulnerabilities: 754
Approved XSS vulnerabilities on VIP websites: 41
on 24.07.2017
amur.info
Reported by OmniGooch Badges received: 9
Recommendations received: 3
Approved XSS vulnerabilities: 4058
Approved XSS vulnerabilities on VIP websites: 337
on 23.07.2017
ictv.ua
Reported by amlnspqr Twitter: @amlnspqr
Badges received: 8
Recommendations received: 7
Approved XSS vulnerabilities: 1927
Approved XSS vulnerabilities on VIP websites: 364
on 23.07.2017
pinoybay.ch
Reported by eb Badges received: 6
Recommendations received: 11
Approved XSS vulnerabilities: 754
Approved XSS vulnerabilities on VIP websites: 41
on 23.07.2017
tubegold.xxx
Reported by Xany Twitter: @Xanyrekt
Badges received: 7
Approved XSS vulnerabilities: 1141
Approved XSS vulnerabilities on VIP websites: 198
on 23.07.2017
otago.ac.nz
Reported by MiguelSantareno Badges received: 4
Recommendations received: 4
Approved XSS vulnerabilities: 340
Approved XSS vulnerabilities on VIP websites: 61
on 23.07.2017
proz.com
Reported by MiguelSantareno Badges received: 4
Recommendations received: 4
Approved XSS vulnerabilities: 340
Approved XSS vulnerabilities on VIP websites: 61
on 23.07.2017
graphicstock.com
Reported by RahimPK3 Badges received: 0
Approved XSS vulnerabilities: 2
Approved XSS vulnerabilities on VIP websites: 2
on 23.07.2017



LATEST SUBMISSIONS

eeagrants.org
Reported by OmniGooch Badges received: 9
Recommendations received: 3
Approved XSS vulnerabilities: 4058
Approved XSS vulnerabilities on VIP websites: 337
on 24.07.2017
smartjob.vn
Reported by OmniGooch Badges received: 9
Recommendations received: 3
Approved XSS vulnerabilities: 4058
Approved XSS vulnerabilities on VIP websites: 337
on 24.07.2017
1zoom.net
Reported by OmniGooch Badges received: 9
Recommendations received: 3
Approved XSS vulnerabilities: 4058
Approved XSS vulnerabilities on VIP websites: 337
on 24.07.2017
crowfoothyundai.com
Reported by KushalJaisingh Badges received: 4
Approved XSS vulnerabilities: 166
Approved XSS vulnerabilities on VIP websites: 11
on 24.07.2017
watchtimevn.com
Reported by OmniGooch Badges received: 9
Recommendations received: 3
Approved XSS vulnerabilities: 4058
Approved XSS vulnerabilities on VIP websites: 337
on 24.07.2017
pittarosso.com
Reported by evaristegal0is Twitter: @evaristegal0is
Badges received: 4
Recommendations received: 4
Approved XSS vulnerabilities: 260
Approved XSS vulnerabilities on VIP websites: 55
on 24.07.2017
gpnissan.ca
Reported by KushalJaisingh Badges received: 4
Approved XSS vulnerabilities: 166
Approved XSS vulnerabilities on VIP websites: 11
on 24.07.2017
sv-optom.ru
Reported by OmniGooch Badges received: 9
Recommendations received: 3
Approved XSS vulnerabilities: 4058
Approved XSS vulnerabilities on VIP websites: 337
on 24.07.2017
performbetter.com
Reported by evaristegal0is Twitter: @evaristegal0is
Badges received: 4
Recommendations received: 4
Approved XSS vulnerabilities: 260
Approved XSS vulnerabilities on VIP websites: 55
on 24.07.2017
capitaljeep.com
Reported by KushalJaisingh Badges received: 4
Approved XSS vulnerabilities: 166
Approved XSS vulnerabilities on VIP websites: 11
on 24.07.2017