About

What is this?

Bug Bounties is an open-source directory of 2,966 bug bounty and responsible disclosure programs. The aim, is to help security researchers quickly find companies that welcome vulnerability reports, as well as augmenting listing with essential info like scopes, rewards, contact details, known issues, and more.

How is data collected?

Program data is aggregated from multiple public sources, which is fetched, processed and verified nightly. As well as user-submitted programs, we also fetch from HackerOne, BugCrowd, Intigriti, YesWeHack, Federacy, Disclose.io among other sources.

Platform-managed programs are stored in platform-programs.yml, while independently-run programs are in independent-programs.yml. Both files are available in our GitHub repository.

Adding a Program

If your bounty program is not listed on any of the platforms which we auto-aggregate, you can submit it as an independent program. Fork the repository, add your program to independent-programs.yml, and open a pull request. Required fields are company and url. Optional fields include contact, rewards, safe_harbor, scope, payout_table, excluded_methods, description, and more. See the full field reference in the README.

Alternatively, you can just use this form, and we will add your bounty program automatically.

Contributing

Start by clone the repo with git clone [email protected]:Lissy93/bug-bounties.git && cd bug-bounties
You will need Python (v3.12+) installed for the scripts, as well as Node.js (v24+) for the website.

To run the data gathering and processing scripts:

1. make install - Setup environment and install dependencies (from requirements.txt)
2. make populate - Fetch the latest directory of programs, format, and write to platform-programs.yml
3. make validate - Verify and validate the platform-programs.yml and independent-programs.yml files against the schema.json
4. make readme - Generate and insert a summarized list of programs into the README.md

To develop and build the website:

1. cd web to navigate into the web/ directory
2. npm i to install dependencies
3. npm run dev to start the development server
4. npm run build to build the production site

If you'd like to deploy/self-host your own version or fork of bug-bounties, you have several options:

• Option #1: Upload the content of web/dist/ into any web server, static hosting provider or CDN.
• Option #2: Import the project into a static hosting provider (like Vercel, Netlify, etc), where it will be auto-build and published
• Option #3: For Docker, run docker run -p 8080:8080 ghcr.io/lissy93/bug-bounties:latest

Responsible disclosure

If you find a vulnerability in one of these programs, always follow their specific disclosure policy. General guidance:

• Read the program's rules before testing
• Only test on systems you are authorized to test
• Do not access, modify, or delete user data
• Report vulnerabilities promptly and provide enough detail to reproduce
• Give the company reasonable time to fix before any public disclosure

Credits and license

Contributors

Sponsors

Dependencies

• Astro + Svelte - website
• PyYAML - YAML parsing
• jsonschema - schema validation
• rapidfuzz - fuzzy deduplication
• requests - HTTP client

License

MIT License

Copyright (c) 2023 Alicia Sykes https://aliciasykes.com

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

More Apps

Enjoy security content? You might be interested in some of the other projects we maintain:

• Web-Check - All-in-one OSINT tool for analyzing any website ( GitHub )
• Personal Security Checklist - The ultimate list of tips for protecting your data online ( GitHub )
• Awesome Privacy - A curated list of apps, services and alternatives that respect your privacy ( GitHub )
• Portainer Templates - 500+ 1-click Portainer app templates ( GitHub )
• Networking Toolbox - The all-in-one collection of 100+ free offline-first tools for sysadmins ( GitHub )
• Domain Locker - Domain name portfolio app for monitoring your domains ( GitHub )
• Email Comparison - Comparison of private and / or secure email providers ( GitHub )
• Dashy - The self-hosted personal dashboard for your homelab ( GitHub )