Some of the most critical vulnerabilities in the Internet's history have been resolved thanks to efforts of researchers fueled entirely by curiosity and altruism. We owe these individuals an enormous debt and believe it is our duty to do everything in our power to demonstrate how much this research is appreciated. To that end, the Internet Bug Bounty Panel will award public research into vulnerabilities with the potential for severe security implications to the public.
Simply put: hack all the things, send us the good stuff, and we'll do our best to reward you.
To qualify, vulnerabilities must meet the following criteria:
In addition, vulnerabilities should meet most of the following criteria:
If you are attempting to report a new security vulnerability in a third- party library, please first contact the project maintainers directly.
Vulnerabilities in open source libraries should first be validated, accepted, and publicly disclosed by the project maintainers before submission to the Internet Bug Bounty Panel __. The Panel has limited capacity to assist with the coordinated disclosure of any potential vulnerabilities. We are best equipped to consider rewards for vulnerabilities that have already been publicly disclosed through some other means, provided they adhered to our disclosure guidelines.
While we would love nothing more than to reward all findings, we do have a budget and therefore it is important to keep in mind that not all submissions will qualify for a bounty. The decision to award a bounty is entirely at the discretion of the Internet Bug Bounty Panel. We will strive for consistency over time but regularly make subjective eligibility decisions based on current submission volume and available budget (Know a potential sponsor? Contact us at firstname.lastname@example.org!).
We provide the following examples of publicly disclosed vulnerabilities that we have rewarded:
Thanks @ AllieBrosh __for personifying our mission
Contact us if you want more information.