We protect
open source software.

Get paid to find & fix security vulnerabilities in open source software and be recognised for protecting the world.

90% of users

Got their first CVE

1.7 CVEs

Avg. per user

Protecting 1000+ repos

Protecting open source software

The world's largest bug bounty programme

Reverse Bounties

Supporting those who find vulnerabilities, as well as those who fix them.

Submit a vulnerability

Global Recognition

All valid reports are eligible for a CVE and are made into public write-ups.

Browse the latest finds

Millions of targets

With an almost unlimited scope, you won't have to worry about duplicates again!

Find a target

Our process

The story of vulnerability disclosure, from start to finish

1. Disclosure

The researcher finds a potential vulnerability in open-source and reports it through our disclosure form

2. Notification

The maintainer is notified of the report via. email or GitHub communication

3. Validation

The maintainer validates the vulnerability

4. Reward

The researcher is awarded the disclosure bounty for their successful vulnerability report

5. Fix

The maintainer submits a fix for the vulnerability and is awarded a fix bounty

6. CVE

The researcher's report will be assigned a CVE (within one hour!) if the vulnerability is found in the top 40% most popular open-source repositories

Funding open source security

Working with maintainers to support their projects

Universal

For all open source software

$250 monthly pot
Paid by huntr
Reverse bounties
Promoted repo

Partner

For registered maintainers

$500 monthly pot
Paid by huntr
Reverse bounties
Promoted repo

Enterprise

For commercial OSS

Unlimited pot
Paid by enterprise
Triage support
Promoted repo