Internet Bug Bounty

Rewarding friendly hackers who contribute to a more secure internet.

How it works

We've selected some of the most important software that supports the internet stack, and we want you to hack it. If the public is demonstrably safer as a result of your contribution to internet security, we'd like to be the first to recognize your work and say "thanks" by sending some cash to you or your favorite non-profit.

The Panel

The Internet Bug Bounty is managed by a panel of volunteers selected from the security community. These security experts are responsible for defining the rules of the program, allocating bounties to where additional security research is needed most, and mediating any disagreements that might arise.

Panelists represent their own opinions and not their employers.

Contact the panel

Bounty sponsors

Frequently Asked Questions

Why run an Internet Bug Bounty program?

Our collective safety is only possible when public security research is allowed to flourish. Some of the most critical vulnerabilities in the internet's history have been resolved thanks to efforts of researchers fueled entirely by curiosity and altruism. We owe these individuals an enormous debt and believe it is our duty to do everything in our power to cultivate a safe, rewarding environment for past, present, and future researchers.

Who is running the Internet Bug Bounty?

The Internet Bug Bounty is a California non-profit public benefit corporation. The program ltself is administered by an independent panel of security experts from the community. The Panel is responsible for defining the rules of the program, allocating bounties to where additional security research is needed most, and mediating any disagreements that might arise.

How is the program funded?

The Internet Bug Bounty program is sponsored by individuals and organizations who genuinely care about our collective security. Their contributions directly fund the bounties paid to researchers with no portion going to The Panel or administration: 100% goes to researchers. Sponsors do not have any special access or rights to bug data. If you'd like to sponsor security research, let us know!

What types of bugs qualify for bounties?

First, make certain you follow our general guidelines for vulnerability disclosure. Next, each Response Team has a unique set of criteria for what bugs are in scope along with any special rules they'd like you to adhere to. Be certain to carefully read each individual team page before beginning any research or testing on their products.

Who decides how much each bounty is?

The Panel may provide general guidance on bounties, but the appropriate Response Teams will assess each individual report to determine its bounty eligibility. The Panel is available to meditate any disagreements that may arise.

I'm a contributor to an open source project. Am I eligible?

Yes! However, we have two simple caveats: your involvement with the project is a labor of love as an unpaid volunteer, and you did not author or review the blamed commit.

What about software or services where the vendor already has a bounty program?

Where the vendor already has a reasonable bounty program in place, we request that you contact the vendor directly.

Can I report the bug to you via a third-party broker?

No. It is unacceptable to share the vulnerability with anyone without the explicit consent of the Response Team.

Can I report the bug directly to the Response Team?

In most cases, yes. Please review the Response Team's profile for specifics on their accepted routes for submission.