We are most interested in the following classes of vulnerability
The following is considered out of scope and will not receive a bounty
GNU Wget project maintainers will determine whether a reported issue is considered a security vulnerability and give it a security rating of Low, Moderate, High, or Critical based on its ease of exploitation, resulting attacker control, and commonality of required configuration.
The BountyGraph Panel will have final say on the amount paid out for the vulnerability, but will base this decision on GNU Wget’s final assessment of the bug.
Only commonly used versions of GNU Wget are eligible for bounty submissions and only if the issue isn't already fixed in the latest source codes. So please ensure your exploit is still present in recent versions (better: latest sources from master branch) when you submit your bounty.
Please remember that not all submissions will qualify for a bounty. Generally only the first valid report of a particular bug will be accepted, and the final decision of the bounty reward is at the discretion of the Panel.
Bounties are paid out according to the severity of the vulnerability and the available funds at the time of bounty payout. The following percentages serve as a guide during this process, but individual bugs may earn slightly more or less depending on impact.
Of this bounty, 20% is paid to project maintainers if a working patch is released within 30 days of receiving the report, and 80% is paid to the hacker. If the patch is released after 30 days, 15% is paid to project maintainers and 85% is paid to the hacker.
Low | Medium | High | Critical
~5% | ~10% | ~15% | ~25%
Contact us if you want more information.