Our disclosure process is open source

We accept every disclosure you submit.
 Contributing with GitHub

Our bounty database is now open source! To disclose a vulnerability, open a pull request against our vulnerability database and get feedback from the community!

All of your disclosures will improve your GitHub contributions graph, so you get the best of both worlds.

Get started


We accept every disclosure where:

A fix is not already available
A proof of concept (PoC) exists and is included

We don't accept:

Vulnerabilities that are only client side (e.g. type a payload into the console and it runs locally)
Physical or social engineering attacks
Vulnerable dependencies of a package
Rate limiting issues that do not have a clear impact
Injection vulnerabilities that only let you modify text (we will weigh up the context on this)
Improper password complexity restrictions
Vulnerabilities that don't have a clear security impact (e.g. CSRF but it only logs out a user)

If you have any questions, get in touch at security@huntr.dev.

Disclose your findings