Banner object (1)

4217 policies in database
  Back Link to program      
Tor logo
Hall of Fame


100 $ 


The Tor Project is committed to working with security experts across the world to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd welcome working with you.

The Tor Project is only offering bug bounties for supported versions of two of its core products, Tor (the network daemon) and Tor Browser. Supported versions for Tor can be found at . For Tor Browser it's a good start to look at the latest stable, alpha, and nightly builds. The former can be found at and nightlies can be obtained via http://f4amtbsowhix7rrf.onion/tor-browser-builds/ .

Other services (like the website, bug tracker, and server infrastructure) or products (like OONI, Orbot, and Tor Messenger) are out of scope. Both Tor and Tor Browser bounties come with different tiers accompanied by a price range and some restrictions.


For Tor the tiers, price ranges and restrictions look like this:

Low severity ($100 - $500):

This tier is for low severity bugs that force Tor to misbehave in a way that might be security related, but does not put our core users in danger. If we receive a bug that is too low severity for this tier, we can still send the submitters some stickers or a t-shirt, and also mention them in our greetz list.

Bug examples:

Medium severity ($500 - $2000):

This tier is for medium severity bugs that cannot be used to exploit or deanonymize our users, but can be used as part of a greater attack that aims to do so.

Bug examples:

High severity ($2000 - $4000):

This tier is for serious security bugs that result in users getting deanonymized or compromised.

Bug examples:

  • Attacks that allow remote code-execution (e.g. CVE-2011-0427, CVE-2011-2778)
  • Attacks that cause the leakage of crypto material of relays or clients (e.g. Heartbleed-like bugs)
  • Attacks that remotely cause clients to de-anonymize themselves.
  • Any means to bypass hidden service authorization.
  • Any means to impersonate a relay.
  • Any way for non-exit relays to read user's plaintext.

Vulnerabilities in third party libraries used by standard Tor ($500 -


Medium or High severity vulnerabilities in any third party libraries that cause an issue as defined above are in-scope for this bug bounty program. This does not include third party libraries covered by other bug bounty programs, such as IBB. For the avoidance of doubt, this does exclude OpenSSL, but libevent is still in scope.

Excluded vulnerabilities

This section specifies an incomplete list of vulnerabilities that are NOT in scope for this bug bounty program.

That's because these attacks or issues arise from unanswered research questions and not because of bugs in the Tor software. While Tor may attempt to defend against some of these attacks, any defense is a mitigation and should not be considered indicative of a strong security boundary. Other excluded attacks depend on users doing obviously unsafe tasks which we also consider as out of scope to this program and try to address by educating users.

Here is an incomplete list of excluded vulnerabilities:

  • Tagging attacks or other types of end-to-end traffic confirmation using packet modification or timing, such as or
  • Website and Traffic Fingerprinting Attacks, a good round-up is
  • Using Tor against recommendations. There are several ways to configure Tor or use it insecurely including insecurely configuring it (e.g. setting alternate Directory Authorities), leaking your IP address through torrents, or opening downloaded files in external applications such as document writers.
  • Attacks that are possible by an attacker outside the software's threat model. (For example, Tor assumes that the attacker does not have administrator access to your computer; has not installed a keylogger; does not control a majority of directory authorities; cannot make an authenticated connection to the control port; and so on.)
  • When users go to the wrong hidden service address, they get the wrong hidden service.
  • Timing side-channel attacks that can only be exploited at great difficulty, and only by local users.

For more information see as well: .

Tor Browser

For Tor Browser the tiers, price ranges and restrictions are the following:

Generally there is no reward for anything already in our public bugtracker. This holds for Mozilla's bugtracker as well, with exceptions (see below). If you claim an additional bounty to the one from Mozilla we need to have notice about this specific issue before the bug gets public.

Low ($100 - $1000)

This tier is for third-party/supercookie tracking issues:

a. Non-fingerprinting (identifiers/cookies/etc): $1000

  • Can be claimed either for supercookies that survive "New Identity" or for other mechanisms to track users across sites.

b. Fingerprinting (Reward depends on accuracy and/or entropy. However, "fingerprinting" for this bounty program is defined pretty loosely. E.g. any bugs that help an attacker to find out something about a user's habit is in scope for this item): $100-1000

  • No reward for browser version differentiation
  • No reward for OS differentiation

Medium ($1000 -$2000)

This tier is for unexploitable crashes caused by Tor Browser patches and NoScript bypasses to get arbitrary scripts to run:

a. Unexploitable Tor Browser crashes caused by Tor Browser patches: $1000-$2000

  • remotely triggerable ones
  • indirectly triggerable ones by a remote attacker (an attacker succeeds in convincing a user to do certain things that crash the browser)

b. NoScript bypass to get any script to run $1000-$2000

High ($2000 - $3000+)

This tier is for serious security bugs that may result in users getting deanonymized or compromised.

a. "Uncontrolled" Partial Proxy Bypass: $2000

  • E.g.: DNS resolution via non-Tor ( )
  • Other non-Tor connection to an IP address that is not under an attacker's control (For instance STUN server, server, etc etc)

b. Full Proxy bypass: $3000

  • Direct non-Tor connection to an IP address of the attacker's choice
  • Full code execution vulnerabilities not eligible for this bounty (i.e. c. and d.)

c. Tor Browser-Specific Code Exec Base Bounty: $3000

  • Applies to code exec vulnerabilities against our specific addons/paches/preference choices
  • Can only be claimed in cases where Mozilla's bounty does not apply

d. Bonus over Base Bounty/Mozilla Bounty for code execution exploits that work in:

  1. Medium Security Slider Level on an HTTPS page: 50% Bonus
  2. Medium Security Slider Level on a non-HTTPS page: 75% Bonus
  3. High Security Slider Level: 100% Bonus

If there are security bug reports you want to send directly to us, feel free to contact us via

The progam has been crawled by Firebounty on 2017-07-20 and updated on 2019-08-22, 34 reports have been received so far.

FireBounty © 2015-2020

Legal notices