We fund
open source security.

We pay security researchers for finding vulnerabilities in any GitHub repository and maintainers for fixing them.

90% of users

Got their first CVE

1.7 CVEs

Avg. per user

3.6 bounties per user

Avg. monthly winnings

Protecting 1000+ repos

Low risk Arbitrary Code Execution in

microsoft/qlib

found by @b3ef – fixed by @anon-artist

High risk Command Injection in

facebook/create-react-app

found by @zpbrent – fixed by @zpbrent

High risk Arbitrary Code Execution in

adobe/ops-cli

found by @anon-artist – fixed by @asjidkalam

High risk Insecure Deserialization in

NVIDIA/runx

found by @asjidkalam – fixed by @b3ef

Low risk Code Injection in

uber/petastorm

found by @anon-artist – fixed by @d3m0n-r00t

Low risk Arbitrary Code Execution in

spotify/postgresql-metrics

found by @b3ef – fixed by @anon-artist

High risk Command Injection in

Azure/ms-rest-nodeauth

found by @zpbrent – fixed by @zpbrent

Low risk Code Injection in

uber/petastorm

found by @anon-artist – fixed by @d3m0n-r00t

High risk Prototype Pollution in

mozilla/node-convict

found by @gkmrrr – fixed by @arjunshibu

Low risk Arbitrary Code Execution in

microsoft/qlib

found by @b3ef – fixed by @anon-artist

High risk Command Injection in

facebook/create-react-app

found by @zpbrent – fixed by @zpbrent

High risk Arbitrary Code Execution in

adobe/ops-cli

found by @anon-artist – fixed by @asjidkalam

High risk Insecure Deserialization in

NVIDIA/runx

found by @asjidkalam – fixed by @b3ef

Low risk Code Injection in

uber/petastorm

found by @anon-artist – fixed by @d3m0n-r00t

Low risk Arbitrary Code Execution in

spotify/postgresql-metrics

found by @b3ef – fixed by @anon-artist

High risk Command Injection in

Azure/ms-rest-nodeauth

found by @zpbrent – fixed by @zpbrent

Low risk Code Injection in

uber/petastorm

found by @anon-artist – fixed by @d3m0n-r00t

High risk Prototype Pollution in

mozilla/node-convict

found by @gkmrrr – fixed by @arjunshibu

Low risk Arbitrary Code Execution in

facebookresearch/ParlAI

found by @anon-artist – fixed by @anon-artist

High risk Arbitrary Code Execution in

adobe/himl

found by @anon-artist – fixed by @asjidkalam

Medium risk Cross-Site Scripting (XSS) in

alibaba/BizCharts

found by @ready-research – fixed by @alromh87

Low risk Arbitrary Code Execution in

microsoft/nni

found by @b3ef – fixed by @anon-artist

Low risk Remote Code Execution in

heroku/heroku-exec-util

found by @mik317 – fixed by @d3m0n-r00t

Low risk Arbitrary Code Execution in

tensorflow/models

found by @b3ef – fixed by @asjidkalam

High risk Prototype Pollution in

Automattic/mongoose

found by @zpbrent – fixed by @zpbrent

High risk Heap-based Buffer Overflow in

vim/vim

found by @geeknik – fixed by @brammool

High risk Inefficient Regular Expression Complexity in

axios/axios

found by @ready-research – fixed by @ready-research

Low risk Arbitrary Code Execution in

facebookresearch/ParlAI

found by @anon-artist – fixed by @anon-artist

High risk Arbitrary Code Execution in

adobe/himl

found by @anon-artist – fixed by @asjidkalam

Medium risk Cross-Site Scripting (XSS) in

alibaba/BizCharts

found by @ready-research – fixed by @alromh87

Low risk Arbitrary Code Execution in

microsoft/nni

found by @b3ef – fixed by @anon-artist

Low risk Remote Code Execution in

heroku/heroku-exec-util

found by @mik317 – fixed by @d3m0n-r00t

Low risk Arbitrary Code Execution in

tensorflow/models

found by @b3ef – fixed by @asjidkalam

High risk Prototype Pollution in

Automattic/mongoose

found by @zpbrent – fixed by @zpbrent

High risk Heap-based Buffer Overflow in

vim/vim

found by @geeknik – fixed by @brammool

High risk Inefficient Regular Expression Complexity in

axios/axios

found by @ready-research – fixed by @ready-research

Protecting open source software

The world's largest bug bounty programme

Reverse Bounties

Supporting those who find vulnerabilities, as well as those who fix them.

Submit a vulnerability

Global Recognition

All valid reports are eligible for a CVE and are made into public write-ups.

Browse the community’s latest finds

Millions of targets

With an almost unlimited scope, you won't have to worry about duplicates again!

Find a target

Our process

The story of vulnerability disclosure, from start to finish

1. Disclosure

The researcher finds a potential vulnerability in open-source and reports it through our disclosure form

2. Notification

The maintainer is notified of the report via. email or GitHub communication

3. Validation

The maintainer validates the vulnerability

4. Reward

The researcher is awarded the disclosure bounty for their successful vulnerability report

5. Fix

The maintainer submits a fix for the vulnerability and is awarded a fix bounty

6. CVE

The researcher's report will be assigned a CVE (within one hour!) if the vulnerability is found in the top 40% most popular open-source repositories

Funding open source security

Working with maintainers to support their projects

Universal

For all open source software

$250 prize pot

Paid by huntr

Reverse bounties

Promoted repo

Partner

For registered maintainers

$250 prize pot

Paid by huntr

Reverse bounties

Promoted repo

Enterprise

For commercial OSS

Unlimited prize pot

Paid by enterprise

Triage support

Promoted repo

We fund open source security.

We pay security researchers for finding vulnerabilities in any GitHub repository and maintainers for fixing them.

90% of users

Got their first CVE

1.7 CVEs

Avg. per user

3.6 bounties per user

Avg. monthly winnings

Protecting 1000+ repos

Protecting open source software

The world's largest bug bounty programme

Reverse Bounties

Global Recognition

Millions of targets

Our process

The story of vulnerability disclosure, from start to finish

1. Disclosure

2. Notification

3. Validation

4. Reward

5. Fix

6. CVE

Funding open source security

Working with maintainers to support their projects

Universal

For all open source software

Partner

For registered maintainers

Enterprise

For commercial OSS

We fund
open source security.