A bug bounty program for core internet infrastructure and free open source software.

How it works

How it works

We've selected some of the most important software that supports the internet stack, and we want you to hack it. If the public is demonstrably safer as a result of your contribution to internet security, we'd like to be the first to recognize your work and say "thanks" by sending some cash to you or your favorite non-profit.

The Internet Bug Bounty has rewarded $477k+ in bounties to 110 friendly hackers for uncovering 277 flaws that have helped improve the security of the Internet, including: ImageTragick ($7.5k), Heartbleed ($15k), and Shellshock ($20k).

For more details on how the Internet Bug Bounty operates, including guidelines around how scope and bounty prices are determined, finances, panel member requirements, etc., please see our charter.

The Panel

The Internet Bug Bounty is managed by a panel of volunteers selected from the security community. These security experts are responsible for defining the rules of the program, allocating bounties to where additional security research is needed most, and mediating any disagreements that might arise. The current panel members are:

The Internet Bug Bounty would also like to thank past panel members for their contributions to the program:

  • Matt Miller, Microsoft

Panelists represent their own opinions and not their employers.

Contact the panel

Bounty sponsors

The monetary bug bounties are made possible by the sponsors below.

Frequently Asked Questions

Can't find your answer here? Contact us.

Toggle all questions
Why run an Internet Bug Bounty program?
Our collective safety is only possible when public security research is allowed to flourish. Some of the most critical vulnerabilities in the internet's history have been resolved thanks to efforts of researchers fueled entirely by curiosity and altruism. We owe these individuals an enormous debt and believe it is our duty to do everything in our power to cultivate a safe, rewarding environment for past, present, and future researchers.
Who is running the Internet Bug Bounty?
The Internet Bug Bounty program is administered by an independent panel of security experts from the community. The Panel is responsible for defining the rules of the program, allocating bounties to where additional security research is needed most, and mediating any disagreements that might arise.
How is the program funded?
The Internet Bug Bounty program is sponsored by individuals and organizations who genuinely care about our collective security. Their contributions directly fund the bounties paid to finders with no portion going to the Panel or administration: 100% goes to finders. Sponsors do not have any special access or rights to vulnerability data. If you'd like to sponsor security research, let us know!
What types of bugs qualify for bounties?
First, make certain you follow our general guidelines for vulnerability disclosure. Next, each Security Team has a unique set of criteria for what bugs are in scope along with any special rules they'd like you to adhere to. Be certain to carefully read each individual team page before beginning any research or testing on their products.
Who decides how much each bounty is?
The Panel may provide general guidance on bounties, but the appropriate Security Teams will assess each individual report to determine its bounty eligibility. The Panel is available to meditate any disagreements that may arise.
I'm a contributor to an open source project. Am I eligible?
Yes! However, we have two simple caveats: your involvement with the project is a labor of love as an unpaid volunteer, and you did not author or review the blamed commit.
What about software or services where the vendor already has a bounty program?
Where the vendor already has a reasonable bounty program in place, we request that you contact the vendor directly.
Can I report the bug to you via a third-party broker?
No. It is unacceptable to share the vulnerability with anyone without the explicit consent of the Security Team.
Can I report the bug directly to the Security Team?
In most cases, yes. Please review the Security Team's profile for specifics on their accepted routes for submission.
How is IBB different from CII (Core Infrastructure Initiative)?
While IBB and CII have very similar goals, they are distinct, yet complementary in nature. CII enables technology companies to collaboratively identify and fund open source projects that are in need of assistance, while allowing the developers to continue their work under the community norms that have made open source so successful. IBB helps reward security research that results in identification of vulnerabilities in open source projects and other critical software that supports the Internet stack.
Are donations to the IBB tax deductible?
The Internet Bug Bounty is incorporated as a not-for-profit organization, but is still in the process of applying for federal tax-exempt status under IRS 501(c)(3). As such, donations to the IBB are not tax deductible at this time.