How it works
We've selected some of the most important software that supports the internet stack, and we want you to hack it. If the public is demonstrably safer as a result of your contribution to internet security, we'd like to be the first to recognize your work and say "thanks" by sending some cash to you or your favorite non-profit.
The Internet Bug Bounty is managed by a panel of volunteers selected from the security community. These security experts are responsible for defining the rules of the program, allocating bounties to where additional security research is needed most, and mediating any disagreements that might arise.
- Alex Rice, HackerOne
- Chris Evans, Tesla Motors
- Katie Moussouris, HackerOne
- Zane Lackey, Signal Sciences
- Jesse Burns, NCC Group
- Collin Greene, Uber
- Matt Miller, Microsoft
- Roman Porter, Microsoft
- Neal Poole, Facebook
- Peleus Uhley, Adobe
- Ryan McGeehan
- Adam Bacchus
Panelists represent their own opinions and not their employers.
- Sandbox Escapes
- The Internet
- Ruby on Rails
- Apache httpd
Frequently Asked Questions
Our collective safety is only possible when public security research is allowed to flourish. Some of the most critical vulnerabilities in the internet's history have been resolved thanks to efforts of researchers fueled entirely by curiosity and altruism. We owe these individuals an enormous debt and believe it is our duty to do everything in our power to cultivate a safe, rewarding environment for past, present, and future researchers.
The Internet Bug Bounty is a California non-profit public benefit corporation. The program ltself is administered by an independent panel of security experts from the community. The Panel is responsible for defining the rules of the program, allocating bounties to where additional security research is needed most, and mediating any disagreements that might arise.
The Internet Bug Bounty program is sponsored by individuals and organizations who genuinely care about our collective security. Their contributions directly fund the bounties paid to researchers with no portion going to The Panel or administration: 100% goes to researchers. Sponsors do not have any special access or rights to bug data. If you'd like to sponsor security research, let us know!
First, make certain you follow our general guidelines for vulnerability disclosure. Next, each Response Team has a unique set of criteria for what bugs are in scope along with any special rules they'd like you to adhere to. Be certain to carefully read each individual team page before beginning any research or testing on their products.
The Panel may provide general guidance on bounties, but the appropriate Response Teams will assess each individual report to determine its bounty eligibility. The Panel is available to meditate any disagreements that may arise.
Yes! However, we have two simple caveats: your involvement with the project is a labor of love as an unpaid volunteer, and you did not author or review the blamed commit.
Where the vendor already has a reasonable bounty program in place, we request that you contact the vendor directly.
No. It is unacceptable to share the vulnerability with anyone without the explicit consent of the Response Team.
In most cases, yes. Please review the Response Team's profile for specifics on their accepted routes for submission.