Star 历史趋势
数据来源: GitHub API · 生成自 Stargazers.cn
README.md



A compiled list of companies who accept responsible disclosure
🔎 Browse All Programs | Submit New Program



Top Programs

Expand List Key: 💰 = bounty. 🏅 = shout-out. 🎁 = swag.
View full list and details at bug-bounties.as93.net

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

P

Q

R

S

T

U

V

W

X

Y

Z

#


About

The objective of this repo is to provide a centralized listing of public bounty programs, along with contact details and rewards. Which can either be browsed via the website or integrated into your workflow using MCP server or API.

We maintain a directory of independently-run programs in independent-programs.yml, and we also aggregate data from public sources (such as HackerOne, Bugcrowd, Intigriti, YesWeHack, Federacy, Disclose, etc), which is then normalized, deduplicated, validated against a schema, and merged into platform-programs.yml.

graph LR
    A[Public Sources] -->|fetch| B[Normalize & Dedup]
    B --> C1[Validate]
    C1 -->|Insert| D[platform-programs.yml]
    G[Community Submissions] -->|issue form or PR| C2[Validate]
    C2 -->|Insert| H[independent-programs.yml]
    D --> I[API + MCP]
    H --> I
    D --> F[Website]
    H --> F
    D --> E[README]
    H --> E
    style A fill:#8037e0,stroke:#360a70,color:#fff
    style G fill:#8037e0,stroke:#360a70,color:#fff
    style B fill:#334155,stroke:#1e293b,color:#fff
    style C1 fill:#3bc964,stroke:#185c2b,color:#0c121a
    style C2 fill:#3bc964,stroke:#185c2b,color:#0c121a
    style D fill:#fdc500,stroke:#9e7b06,color:#0c121a
    style H fill:#fdc500,stroke:#9e7b06,color:#0c121a
    style E fill:#2ebdfa,stroke:#0f6b8f,color:#0c121a
    style F fill:#2ebdfa,stroke:#0f6b8f,color:#0c121a
    style I fill:#2ebdfa,stroke:#0f6b8f,color:#0c121a

Submitting a Program

To include a new self-managed CVD or bug bounty program to the website, add it to independent-programs.yml (in alphabetical order by company name). Either, fork the repo add you entry(s) and then open a PR, or just open an issue or fill in this form, and we will add it for you.

Fields reference

Required fields are company and url, all others are optional

FieldTypeRequiredDescription
companystringYesCompany or program owner name
urlURLYesCanonical program or security page URL
contactstringNoContact URL (mailto: or https://)
rewardsarrayNoReward types: *bounty, *recognition, *swag
descriptionstringNoShort program description (max 500 chars)
program_typeenumNobounty, vdp, or hybrid
statusenumNoactive or paused
Scope
domainsarrayNoIn-scope domains (flat list shorthand)
scopearrayNoStructured targets: {target, type} where type is one of web, mobile, api, hardware, iot, network, cloud, desktop, other
out_of_scopearrayNoExplicitly excluded targets or categories
Payouts
min_payoutnumberNoMinimum payout amount
max_payoutnumberNoMaximum payout amount
currencystringNoPayout currency code (for example USD)
payout_tableobjectNoPer-severity max amounts: {critical, high, medium, low}
Rules
testing_policy_urlURLNoLink to full testing rules
excluded_methodsarrayNoForbidden techniques such as dos, social_engineering, phishing, physical_access, automated_scanning
requires_accountbooleanNoWhether testing requires an account
Disclosure
safe_harborenumNofull or partial
allows_disclosurebooleanNoWhether researchers may publish findings
disclosure_timeline_daysnumberNoCoordinated disclosure window in days
response_sla_daysnumberNoCommitted acknowledgment time in business days
Legal & Recognition
legal_terms_urlURLNoLink to participation terms
hall_of_fame_urlURLNoLink to researcher acknowledgments page
swag_detailsstringNoDescription of swag offered (max 200 chars)
reporting_urlURLNoSubmission endpoint if different from url
Communication
pgp_keystringNoURL to PGP key
preferred_languagesstringNoPreferred report languages
standardsarrayNoStandards followed, for example ISO 29147, disclose.io
Example entry

Bare Minimum:

- company: Example Corp
  url: https://example.com/security

Full:

- company: Example Corp
  url: https://example.com/security
  contact: mailto:security@example.com
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  min_payout: 100
  max_payout: 10000
  currency: USD
  payout_table:
    critical: 10000
    high: 5000
    medium: 1000
    low: 100
  safe_harbor: full
  allows_disclosure: true
  disclosure_timeline_days: 90
  response_sla_days: 3
  scope:
  - target: '*.example.com'
    type: web
  - target: Example Mobile App
    type: mobile
  out_of_scope:
  - Third-party services
  - Staging environments
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  hall_of_fame_url: https://example.com/security/thanks
  preferred_languages: English
  standards:
  - ISO 29147
  description: Short description of the program scope and rules.

Using the Data


Mirror

A mirror of this repo and all data is published to CodeBerg, at: codeberg.org/alicia/bug-bounties


Developer Usage

Start by clone the repo with git clone git@github.com:Lissy93/bug-bounties.git && cd bug-bounties

Data Aggregation

  1. make install - Setup environment and install dependencies (from requirements.txt)
  2. make populate - Fetch the latest directory of programs, format, and write to platform-programs.yml
  3. make validate - Check platform-programs.yml and independent-programs.yml against the schema.json
  4. make readme - Generate and insert a summarized list of programs into the README.md

Website

  1. cd web to navigate into the web/ directory
  2. npm i to install web NPM dependencies
  3. npm run dev to start the development server
  4. npm run build to build the production site

Deployment

  • Option 1) Upload the content of web/dist/ into any web server, static hosting provider or CDN
  • Option 2) Import the project into Vercel or Netlify directly, where it will be automatically deployed
  • Option 3) For Docker, run docker run -p 8080:8080 ghcr.io/lissy93/bug-bounties:latest

Credits

Sponsors

Huge thanks to the following kind people, for their ongoing support in funding this, and other of my projects via GitHub Sponsors

Sponsors

Contributors

Top Contributors

Attributions

Data Sources

Core Dependencies


License

Lissy93/Bug-Bounties is licensed under MIT © Alicia Sykes 2023 - 2026.
For information, see TLDR Legal > MIT

Expand License
The MIT License (MIT)
Copyright (c) Alicia Sykes <alicia@omg.com> 

Permission is hereby granted, free of charge, to any person obtaining a copy 
of this software and associated documentation files (the "Software"), to deal 
in the Software without restriction, including without limitation the rights 
to use, copy, modify, merge, publish, distribute, sub-license, and/or sell 
copies of the Software, and to permit persons to whom the Software is furnished 
to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included install 
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANT ABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NON INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

© Alicia Sykes 2026
Licensed under MIT

Thanks for visiting :)

关于 About

⚔️ Community maintained directory, MCP and API of 3,000+ active bug bounty programs and VDPs
ai-securitybugbountyfree-apimcpresponsible-disclosuresecurityvulnerabilities

语言 Languages

TypeScript41.6%
Astro35.1%
Svelte10.9%
Python9.0%
JavaScript2.6%
CSS0.3%
Makefile0.2%
Dockerfile0.2%

提交活跃度 Commit Activity

代码提交热力图
过去 52 周的开发活跃度
288
Total Commits
峰值: 50次/周
Less
More

核心贡献者 Contributors