20180 policies in database
Link to program      
Internet Bug Bounty logo


Internet Bug Bounty

Welcome to the Internet Bug Bounty!

The Internet Bug Bounty is a crowdfunded bug bounty program that has been in operation since 2013, and in our book, with longevity comes renewal, reform, and expansion. So, in the spirit of constant improvement, we are happy to introduce the updated IBB program here.

The mission of the IBB is:

  • Secure Our Shared Software Components: Incentivize security research into open source and software supply chain dependencies.

  • By Pooling Defenses: Enable beneficiaries of open source to contribute to our collective security equitably.

  • From Discovery to Remediation: Provide financial support to security researchers and the maintainers of open source, who often volunteer their talent.

How it works

Step 1: Discovered a potential Vulnerability? Submit to the Project Maintainers first!

IBB only pays bounty awards for vulnerabilities that have been responsibly reported, acknowledged, triaged, remediated and disclosed via Security Advisory or CVE.

Remember that OSS Projects are supported by groups of dedicated, but overwhelmed volunteers. So, while every OSS Project in scope for IBB has agreed to a reasonable timeline to acknowledge vulnerability reports, the expectation is that the timeline overall will be extended compared to commercial bug bounty programs.

Be professional! 💼 Any report of abuse or unprofessional conduct when working with OSS Project Maintainers will result in the finder being ineligible for the IBB bounty reward, at the sole discretion of the OSS Project Maintainers and/or the H1 IBB Team.

Step 2: Submit to IBB

⚠️ Do NOT submit unresolved vulnerabilities to the IBB! ⚠️

You must first disclose to project maintainers according to their designated security policy.

Vulnerabilities in the in-scope open source libraries must FIRST be responsibly reported, acknowledged, triaged, remediated and disclosed via Security Advisory or CVE by the project maintainers before submission to the IBB.

Eligibility Requirements

  • A Security Advisory has been published with the following information:

  • An identifier (e.g., CVE, GHSA)

  • A severity rating (e.g., CVSS)

  • Acknowledgement of you as the Finder

  • Project Maintainer has not reported a lack of professionalism

Step 3: Receive a payout!

Congratulations! We are grateful for your dedication to securing the critical open source infrastructure we all use and depend upon.

Bounties are awarded following an 80/20 split model, where 80% of the reward is paid to the finder and 20% is paid to the OSS Project.

Why? Because we recognize that remediation is a critical component of the vulnerability lifecycle. This is often a thankless endeavor performed by overworked and underfunded volunteers working tirelessly to maintain OSS Projects. We believe that supporting their efforts in tandem is necessary to Empower the Community.

The H1 IBB Team meets weekly to issue rewards for all eligible submissions.

In Scope

Scope Type Scope Name


















This program crawled on the 2021-09-21 is sorted as bounty.

FireBounty © 2015-2021

Legal notices