We protect
open source code.

Earn money for finding & fixing security vulnerabilities in open source projects and be recognised for protecting the world.

90% of users

Got their first CVE

1.7 CVEs

Avg. per user

3.6 bounties per user

Avg. monthly winnings

Our code runs in 100+ repos

Low risk Arbitrary Code Execution in

baidu/CUP

found by @anon-artist – fixed by @b3ef

High risk Command Injection in

facebook/create-react-app

found by @zpbrent – fixed by @zpbrent

High risk Arbitrary Code Execution in

adobe/ops-cli

found by @anon-artist – fixed by @asjidkalam

Low risk Arbitrary Code Execution in

spotify/postgresql-metrics

found by @b3ef – fixed by @anon-artist

High risk Command Injection in

Azure/ms-rest-nodeauth

found by @zpbrent – fixed by @zpbrent

Low risk Arbitrary Code Execution in

tensorflow/models

found by @b3ef – fixed by @asjidkalam

High risk Insecure Deserialization in

NVIDIA/runx

found by @asjidkalam – fixed by @b3ef

Low risk Arbitrary Code Execution in

baidu/CUP

found by @anon-artist – fixed by @b3ef

High risk Command Injection in

facebook/create-react-app

found by @zpbrent – fixed by @zpbrent

High risk Arbitrary Code Execution in

adobe/ops-cli

found by @anon-artist – fixed by @asjidkalam

Low risk Arbitrary Code Execution in

spotify/postgresql-metrics

found by @b3ef – fixed by @anon-artist

High risk Command Injection in

Azure/ms-rest-nodeauth

found by @zpbrent – fixed by @zpbrent

Low risk Arbitrary Code Execution in

tensorflow/models

found by @b3ef – fixed by @asjidkalam

High risk Insecure Deserialization in

NVIDIA/runx

found by @asjidkalam – fixed by @b3ef

High risk Prototype Pollution in

mozilla/node-convict

found by @gkmrrr – fixed by @arjunshibu

Low risk Arbitrary Code Execution in

facebookresearch/ParlAI

found by @anon-artist – fixed by @anon-artist

Low risk Remote Code Execution in

heroku/heroku-exec-util

found by @mik317 – fixed by @d3m0n-r00t

High risk Arbitrary Code Execution in

adobe/himl

found by @anon-artist – fixed by @asjidkalam

Low risk Arbitrary Code Execution in

microsoft/nni

found by @b3ef – fixed by @anon-artist

Medium risk Cross-Site Scripting (XSS) in

alibaba/BizCharts

found by @ready-research – fixed by @alromh87

Low risk Arbitrary Code Execution in

microsoft/qlib

found by @b3ef – fixed by @anon-artist

High risk Prototype Pollution in

Automattic/mongoose

found by @zpbrent – fixed by @zpbrent

High risk Prototype Pollution in

mozilla/node-convict

found by @gkmrrr – fixed by @arjunshibu

Low risk Arbitrary Code Execution in

facebookresearch/ParlAI

found by @anon-artist – fixed by @anon-artist

Low risk Remote Code Execution in

heroku/heroku-exec-util

found by @mik317 – fixed by @d3m0n-r00t

High risk Arbitrary Code Execution in

adobe/himl

found by @anon-artist – fixed by @asjidkalam

Low risk Arbitrary Code Execution in

microsoft/nni

found by @b3ef – fixed by @anon-artist

Medium risk Cross-Site Scripting (XSS) in

alibaba/BizCharts

found by @ready-research – fixed by @alromh87

Low risk Arbitrary Code Execution in

microsoft/qlib

found by @b3ef – fixed by @anon-artist

High risk Prototype Pollution in

Automattic/mongoose

found by @zpbrent – fixed by @zpbrent

The biggest bug bounty board in the world

With an almost unlimited scope, you will never fight with someone else over the same bounty.

Submit a disclosure

Public write-ups

Once validated and patched, your disclosure write-up will be public.

Pick and fix

If you don't have the skill to disclose, we also reward bounties for fixing verified vulnerabilities.

Browse live bounties

Work with the best

Collaborate and build relationships with the linchpins of open source: maintainers.

We protect
open source code.

Earn money for finding & fixing security vulnerabilities in open source projects and be recognised for protecting the world.

90% of users

Got their first CVE

1.7 CVEs

Avg. per user

3.6 bounties per user

Avg. monthly winnings

Our code runs in 100+ repos

The biggest bug bounty board in the world

With an almost unlimited scope, you will never fight with someone else over the same bounty.

Public write-ups

Once validated and patched, your disclosure write-up will be public.

Pick and fix

If you don't have the skill to disclose, we also reward bounties for fixing verified vulnerabilities.

Work with the best

Collaborate and build relationships with the linchpins of open source: maintainers.

Be globally recognised

As a CNA, we can assign CVEs against your verified advisories.

Show off

Your work, impact and achievements in one public place.

We protect open source code.

Earn money for finding & fixing security vulnerabilities in open source projects and be recognised for protecting the world.

90% of users

Got their first CVE

1.7 CVEs

Avg. per user

3.6 bounties per user

Avg. monthly winnings

Our code runs in 100+ repos

The biggest bug bounty board in the world

With an almost unlimited scope, you will never fight with someone else over the same bounty.

Public write-ups

Once validated and patched, your disclosure write-up will be public.

Pick and fix

If you don't have the skill to disclose, we also reward bounties for fixing verified vulnerabilities.

Work with the best

Collaborate and build relationships with the linchpins of open source: maintainers.

Be globally recognised

As a CNA, we can assign CVEs against your verified advisories.

Show off

Your work, impact and achievements in one public place.

We protect
open source code.