Banner object (1)

Hack and Take the Cash !

634 bounties in database


GNU Wget

Program Rules

GNU Wget / Wget2 uses BountyGraph to reward security researchers for finding vulnerabilities. You can access our development pages at Wget or Wget2.


We are most interested in the following classes of vulnerability

  • Remote code execution (RCE)
  • Privacy leaks to remote servers
  • Local file/data corruption from remote
  • Denial of service e.g. by triggering endless loops or crashing Wget from remote


The following is considered out of scope and will not receive a bounty

  • Social engineering (including phishing) or physical attacks
  • Automated vulnerability scanner output
  • Anything without a working reproducer
  • All kinds of undefined behavior, except it matches one of the classes in scope (see above)

GNU Wget project maintainers will determine whether a reported issue is considered a security vulnerability and give it a security rating of Low, Moderate, High, or Critical based on its ease of exploitation, resulting attacker control, and commonality of required configuration.

The BountyGraph Panel will have final say on the amount paid out for the vulnerability, but will base this decision on GNU Wget’s final assessment of the bug.

Only commonly used versions of GNU Wget are eligible for bounty submissions and only if the issue isn't already fixed in the latest source codes. So please ensure your exploit is still present in recent versions (better: latest sources from master branch) when you submit your bounty.

Please remember that not all submissions will qualify for a bounty. Generally only the first valid report of a particular bug will be accepted, and the final decision of the bounty reward is at the discretion of the Panel.

BountyGraph Payout Policy

Bounties are paid out according to the severity of the vulnerability and the available funds at the time of bounty payout. The following percentages serve as a guide during this process, but individual bugs may earn slightly more or less depending on impact.

Of this bounty, 20% is paid to project maintainers if a working patch is released within 30 days of receiving the report, and 80% is paid to the hacker. If the patch is released after 30 days, 15% is paid to project maintainers and 85% is paid to the hacker.

Low | Medium | High | Critical
~5% | ~10% | ~15% | ~25%

Hall of Fame

List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2018