6e4a5f1ba461d6586b2bd79a7237fb4b32ef1a46 default

Apache httpd

The Apache HTTP server is ubiquitous with the Internet, having remained the single most popular web server since early 1996. The excellent work of the volunteers on the Apache Security Team help ensure the security of countless websites, and the Internet Bug Bounty Panel would like to show our gratitude.

Bounty Qualification

The project maintainers have final decision on which issues constitute security vulnerabilities. The Panel will respect their decision, and we ask that you do as well. Our rewards are tied to the security impact level as determined by the project.

  • Critical: $3,000
  • Important: $1,500
  • Moderate: $500
  • Low: N/A

It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.

Submission Process

  • Disclose a previously unknown security vulnerability directly to the project maintainers.
  • Follow the disclosure process established by the project maintainers.
  • Clearly demonstrate the security vulnerability. Respect the time of the project volunteers as they cannot invest significant effort into incomplete reports. Low-quality reports may be disqualified.
  • Once a public security advisory has been issued, please contact us at panel@internetbugbounty.org. You must not send us the details of the vulnerability until it has been validated, accepted, and publicly disclosed by the project maintainers.

This is an independent process not managed by the Apache Software Foundation. Participation is optional.

Apache httpd published their program on HackerOne.
Almost 2 years ago
  • $500
    Minimum bounty
  • 2
    Hackers thanked
  • 2
    Reports closed