Some of the most critical vulnerabilities in the Internet's history have been resolved thanks to efforts of researchers fueled entirely by curiosity and altruism. We owe these individuals an enormous debt and believe it is our duty to do everything in our power to demonstrate how much this research is appreciated. To that end, the Internet Bug Bounty Panel will award public research into vulnerabilities with the potential for severe security implications to the public.

Simply put: hack all the things, send us the good stuff, and we'll do our best to reward you.

The Fine Print

To qualify, vulnerabilities must meet the following criteria:

• Be implementation agnostic: vulnerability is present in implementations from multiple vendors or a vendor with dominant market share. Do not send us vulnerabilities that only impact a single website, product, or project.
• Be open source: finding manifests itself in at least one popular open source project.

In addition, vulnerabilities should meet most of the following criteria:

• Be widespread: vulnerability manifests itself across a wide range of products, or impacts a large number of end users.
• Have critical impact: vulnerability has extreme negative consequences for the general public.
• Be novel: vulnerability is new or unusual in an interesting way.

If you are attempting to report a new security vulnerability in a third-party library, please first contact the project maintainers directly.

Vulnerabilities in open source libraries should first be validated, accepted, and publicly disclosed by the project maintainers before submission to the Internet Bug Bounty Panel. The Panel has limited capacity to assist with the coordinated disclosure of any potential vulnerabilities. We are best equipped to consider rewards for vulnerabilities that have already been publicly disclosed through some other means, provided they adhered to our disclosure guidelines.

While we would love nothing more than to reward all findings, we do have a budget and therefore it is important to keep in mind that not all submissions will qualify for a bounty. The decision to award a bounty is entirely at the discretion of the Internet Bug Bounty Panel. We will strive for consistency over time but regularly make subjective eligibility decisions based on current submission volume and available budget (Know a potential sponsor? Contact us at panel@internetbugbounty.org!).

Examples

We provide the following examples of publicly disclosed vulnerabilities that we have rewarded:

• TLS Triple Handshake Attack - 3Shake: widespread, novel.
• CVE - CVE-2014-6271 - GNU Bash Vulnerability - Shellshock: widespread, critical impact.
• CVE-2016-3714 - ImageTragick - widespread, critical impact.

Bounty Guidance

• Minimum reward of $750 with significantly higher rewards granted at the Panel's discretion

Thanks @AllieBrosh for personifying our mission