Disclose a vulnerability in open source

We PAY for every valid disclosure you make
 Contributing with GitHub

Our bounty database is now open source! To disclose a vulnerability, open a pull request against our vulnerability database and get rewarded!

Get started

 Requirements

We accept and reward for every disclosure where:

A fix is not already available
A proof of concept (PoC) exists and is included
Our sheriffs have approved the disclosure

We don't accept:

Vulnerabilities that are only client side (e.g. type a payload into the console and it runs locally)
Physical or social engineering attacks
Vulnerable dependencies of a package
Rate limiting issues that do not have a clear impact
Injection vulnerabilities that only let you modify text (we will weigh up the context on this)
Improper password complexity restrictions
Vulnerabilities that don't have a clear security impact (e.g. CSRF but it only logs out a user)

If you have any questions, get in touch at security@huntr.dev

Disclose your findings