52212 policies in database
Link to program      
2021-09-21
Internet Bug Bounty logo
Thank
Gift
HOF
Reward

Reward

Internet Bug Bounty

Welcome to the Internet Bug Bounty!

The Internet Bug Bounty is a crowdfunded bug bounty program that has been in operation since 2013, and in our book, with longevity comes renewal, reform, and expansion. So, in the spirit of constant improvement, we are happy to introduce the updated IBB program here.

The mission of the IBB is:

  • Secure Our Shared Software Components: Incentivize security research into open source and software supply chain dependencies.

  • By Pooling Defenses: Enable beneficiaries of open source to contribute to our collective security equitably.

  • From Discovery to Remediation: Provide financial support to security researchers and the maintainers of open source, who often volunteer their talent.


How it works

Step 1: Discovered a potential Vulnerability? Submit to the Project Maintainers first!

IBB only pays bounty awards for vulnerabilities that have been responsibly reported, acknowledged, triaged, remediated and disclosed via Security Advisory or CVE.

Remember that OSS Projects are supported by groups of dedicated, but overwhelmed volunteers. So, while every OSS Project in scope for IBB has agreed to a reasonable timeline to acknowledge vulnerability reports, the expectation is that the timeline overall will be extended compared to commercial bug bounty programs.

Be professional! ? Any report of abuse or unprofessional conduct when working with OSS Project Maintainers will result in the finder being ineligible for the IBB bounty reward, at the sole discretion of the OSS Project Maintainers and/or the H1 IBB Team.

Step 2: Submit to IBB

⚠️ Do NOT submit unresolved vulnerabilities to the IBB! ⚠️

You must first disclose to project maintainers according to their designated security policy.

Vulnerabilities in the in-scope open source libraries must FIRST be responsibly reported, acknowledged, triaged, remediated and disclosed via Security Advisory or CVE by the project maintainers before submission to the IBB.

Eligibility Requirements

  • A Security Advisory has been published with the following information:

  • An identifier (e.g., CVE, GHSA)

  • A severity rating (e.g., CVSS)

  • Acknowledgement of you as the Finder

  • Project Maintainer has not reported a lack of professionalism

Step 3: Receive a payout!

Congratulations! We are grateful for your dedication to securing the critical open source infrastructure we all use and depend upon.

Bounties are awarded following an 80/20 split model, where 80% of the reward is paid to the finder and 20% is paid to the OSS Project.

Why? Because we recognize that remediation is a critical component of the vulnerability lifecycle. This is often a thankless endeavor performed by overworked and underfunded volunteers working tirelessly to maintain OSS Projects. We believe that supporting their efforts in tandem is necessary to Empower the Community.

The H1 IBB Team meets weekly to issue rewards for all eligible submissions.


Want to help?

Nominate an Open Source Project!

The IBB’s mission involves continuously expanding the scope to cover all open source projects. We are prioritizing projects with widespread adoption and responsive security maintainers. If there’s a project you’d like to see in scope, please let us know and we will prioritize their inclusion.

To submit a nomination, email us the project information at ibb@hackerone.com and include any details that may help us understand why this project should be enrolled. Some examples of details to include are:

  • Recently (or soon to be) published CVE for security research into the project

  • Positive past experience with a responsive security maintainer

  • Plans to continue security research into this project

Along with the above details, if you have any direct contacts you would like us to reach out to directly, feel free to include that information. If not, we will do our best to reach out to the right security contact at the project.

In Scope

Scope Type Scope Name
web_application

https://github.com/ruby

web_application

https://github.com/rails

web_application

https://github.com/rubygems/rubygems

web_application

https://github.com/curl/curl

web_application

https://github.com/Electron

web_application

https://github.com/django

web_application

https://github.com/Nginx

web_application

https://github.com/openssl/openssl

web_application

https://github.com/nodejs/node

web_application

https://github.com/apache/airflow

web_application

https://github.com/apache/httpd

web_application

https://wiki.xenproject.org/wiki/Xen_Project_Repositories

web_application

https://github.com/spiffe/spire

web_application

https://github.com/spiffe/spiffe

web_application

https://git.libssh.org/

web_application

rubygems.org

web_application

https://github.com/rust-lang/rust

web_application

https://github.com/argoproj/argoproj

web_application

https://github.com/rack/rack


This program crawled on the 2021-09-21 is sorted as bounty.

FireBounty © 2015-2024

Legal notices | Privacy policy