Our disclosure process is now open source! 🎉

We reward for every valid disclosure you make.
 Contributing with GitHub

Our bounty database is now open source! To disclose a vulnerability, open a pull request against our vulnerability database and get rewarded!

All of your disclosures will improve your GitHub contributions graph, so you get the best of both worlds. Open source contributions and some extra dollar!

Get started

 Requirements

We pay $25 for every disclosure where:

The package is in a repository (apart from Maven) and has over 1000 downloads per month
The CVSS score is at least 3.0
A fix is not already available
The source repo has had activity in the last year
A proof of concept (PoC) exists and is included

If the CVSS is over 8.0 and it is a well maintained package, but isn't on a repository we may also award a bounty at our discretion! If you have any questions please get in touch at security@huntr.dev. We will let you know when your disclosure has been accepted and the cash & credit rewards will be deposited into your account. Our payments for disclosures and fixes are made on the 25th of each month, so make sure your PayPal address is up-to-date in your settings.

We don't accept:

Vulnerabilities that are only client side (e.g. type a payload into the console and it runs locally)
Physical or social engineering attacks
Vulnerable dependencies of a package
Rate limiting issues that do not have a clear impact
Injection vulnerabilities that only let you modify text (but we'll weigh up context on this)
Improper password complexity restrictions
Things that don't have a clear security impact (e.g. CSRF but it only logs out a user)

Disclose your findings