The Internet Bug Bounty is offering rewards to security researchers who
resolve critical vulnerabilities in core infrastructure data processing
libraries. Critical vulnerabilities in these libraries have widespread
consequences to the internet community. Please review the scope section
below on which libraries qualify for this program!
- Only Critical vulnerabilities that demonstrate unambiguous remote code execution are eligible under this program. Findings with alternative impact or severity are not in scope at this time.
- Your Proof of Concept MUST demonstrate that remote exploitation can be easily, actively, and reliably achieved.
- Only versions currently supported by the upstream project are eligible. Please verify your issue is present in a current release before submission.
- The individual library maintainers have final decision on which issues constitute security vulnerabilities. The Panel will respect their decision, and we ask that you do as well. It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.
- Disclose a previously unknown security vulnerability directly to the project maintainers. Findings that are privately disclosed to other parties or bounty programs before the project maintainers are not eligible.
- Follow the disclosure process established by the project maintainers.
- Clearly demonstrate the security vulnerability. Respect the time of the project volunteers as they cannot invest significant effort into incomplete reports. Low-quality reports may be disqualified.
- Once a public security advisory has been issued, please submit a report here. You must not send us the details of the vulnerability until it has been validated, accepted, and publicly disclosed by the project maintainers.
If you believe there are other widely used media and data processing libraries
in which a vulnerability would have a widespread impact on the safety of the
Internet, please email
firstname.lastname@example.org with your suggestion(s).