[{"id":3771829,"new_policy":"**Effective March 27, the  IBB program has been paused for new submissions.**\n\nThe Internet Bug Bounty (IBB) program was created to strengthen security in open source and core internet infrastructure projects. From the outset, it was designed to reward both vulnerability discovery and remediation, with 80 percent of rewards supporting new findings and 20 percent supporting remediation efforts. The intent has been to align discovery with effective remediation so that meaningful findings lead to durable security improvements in open source projects.\n\nThe discovery landscape is changing. AI-assisted research is expanding vulnerability discovery across the ecosystem, increasing both coverage and speed. The balance between findings and remediation capacity in open source has substantively shifted. We have a responsibility to the community to ensure this program effectively accomplishes its ambitious dual purpose: discovery and remediation. Accordingly, we are pausing submissions while we consider the structure and incentives needed to further these goals. \n\n**Active IBB submissions will continue through standard review and payout processes without disruption.** \n\n**We will continue to provide qualifying open source projects with complimentary access to the [HackerOne Community Edition](https://www.hackerone.com/company/open-source-community), which includes AI-assisted triage and workflow capabilities, equivalent to our current Enterprise platform license.** \n\nWe remain committed to strengthening open source security. Working with project maintainers and researchers, we’re actively evaluating solutions to better align incentives with open source ecosystem realities and ensure vulnerability discoveries translate into durable remediation outcomes.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-28T04:32:02.411Z"},{"id":3754431,"new_policy":"# Welcome to the Internet Bug Bounty!\n\nThe Internet Bug Bounty is a crowdfunded bug bounty program that has been in operation since 2013, and in our book, with longevity comes renewal, reform, and expansion. So, in the spirit of constant improvement, we are happy to introduce the updated IBB program here.\n\nThe mission of the IBB is:\n+ **Secure Our Shared Software Components**: Incentivize security research into open source and software supply chain dependencies.\n+ **By Pooling Defenses**: Enable beneficiaries of open source to contribute to our collective security equitably.\n+ **From Discovery to Remediation**: Provide financial support to security researchers and the maintainers of open source, who often volunteer their talent.\n_________________________________________________________________\n# How it works\n## Step 1: Discovered a potential Vulnerability? Submit to the Project Maintainers first!\n\nIBB only pays bounty awards for vulnerabilities that have been responsibly reported, acknowledged, triaged, remediated and disclosed via Security Advisory or CVE. If there are multiple reporters of a vulnerability acknowledged within the security advisory, only the first reporter (as recognized by the project maintainers), will be eligible for bounty.\n\nRemember that OSS Projects are supported by groups of dedicated, but overwhelmed volunteers. So, while every OSS Project in scope for IBB has agreed to a reasonable timeline to acknowledge vulnerability reports, the expectation is that the timeline overall will be extended compared to commercial bug bounty programs.\n\n**Be professional!** 💼 Any report of abuse or unprofessional conduct when working with OSS Project Maintainers will result in the finder being ineligible for the IBB bounty reward, at the sole discretion of the OSS Project Maintainers and/or the H1 IBB Team.\n\n## Step 2: Submit to IBB\n\n⚠️ *Do NOT submit unresolved vulnerabilities to the IBB!* ⚠️\n*You must first disclose to project maintainers according to their designated security policy.*\n\nVulnerabilities in the in-scope open source libraries must FIRST be responsibly reported, acknowledged, triaged, remediated and disclosed via Security Advisory or CVE by the project maintainers before submission to the IBB. \n\n**Eligibility Requirements**\n\n+ A Security Advisory has been published with the following information:\n  + An identifier (e.g., CVE, GHSA)\n  + A severity rating (e.g., CVSS)\n  + Acknowledgement of you as the Finder\n+ Project Maintainer has not reported a lack of professionalism \n\n## Step 3: Receive a payout! \nCongratulations! We are grateful for your dedication to securing the critical open source infrastructure we all use and depend upon.\n\nBounties are awarded following an 80/20 split model, where 80% of the reward is paid to the finder and 20% is paid to the OSS Project. \n\nWhy? Because we recognize that remediation is a critical component of the vulnerability lifecycle. This is often a thankless endeavor performed by overworked and underfunded volunteers working tirelessly to maintain OSS Projects. We believe that supporting their efforts in tandem is necessary to Empower the Community.\n\nThe [H1 IBB Team](mailto:ibb@hackerone.com) meets monthly to issue rewards for all eligible submissions.\n_________________________________________________________________\n# Want to help?\n## Nominate an Open Source Project! \nThe IBB’s mission involves continuously expanding the scope to cover all open source projects. We are prioritizing projects with widespread adoption and responsive security maintainers. If there’s a project you’d like to see in scope, please let us know and we will prioritize their inclusion.\n\nTo submit a nomination, email us the project information at ibb@hackerone.com and include any details that may help us understand why this project should be enrolled. Some examples of details to include are:\n+ Recently (or soon to be) published CVE for security research into the project\n+ Positive past experience with a responsive security maintainer\n+ Plans to continue security research into this project\n\nAlong with the above details, if you have any direct contacts you would like us to reach out to directly, feel free to include that information. If not, we will do our best to reach out to the right security contact at the project.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-04-27T17:59:09.293Z"},{"id":3701775,"new_policy":"# Welcome to the Internet Bug Bounty!\n\nThe Internet Bug Bounty is a crowdfunded bug bounty program that has been in operation since 2013, and in our book, with longevity comes renewal, reform, and expansion. So, in the spirit of constant improvement, we are happy to introduce the updated IBB program here.\n\nThe mission of the IBB is:\n+ **Secure Our Shared Software Components**: Incentivize security research into open source and software supply chain dependencies.\n+ **By Pooling Defenses**: Enable beneficiaries of open source to contribute to our collective security equitably.\n+ **From Discovery to Remediation**: Provide financial support to security researchers and the maintainers of open source, who often volunteer their talent.\n_________________________________________________________________\n# How it works\n## Step 1: Discovered a potential Vulnerability? Submit to the Project Maintainers first!\n\nIBB only pays bounty awards for vulnerabilities that have been responsibly reported, acknowledged, triaged, remediated and disclosed via Security Advisory or CVE. If there are multiple reporters of a vulnerability acknowledged within the security advisory, only the first reporter (as recognized by the project maintainers), will be eligible for bounty.\n\nRemember that OSS Projects are supported by groups of dedicated, but overwhelmed volunteers. So, while every OSS Project in scope for IBB has agreed to a reasonable timeline to acknowledge vulnerability reports, the expectation is that the timeline overall will be extended compared to commercial bug bounty programs.\n\n**Be professional!** 💼 Any report of abuse or unprofessional conduct when working with OSS Project Maintainers will result in the finder being ineligible for the IBB bounty reward, at the sole discretion of the OSS Project Maintainers and/or the H1 IBB Team.\n\n## Step 2: Submit to IBB\n\n⚠️ *Do NOT submit unresolved vulnerabilities to the IBB!* ⚠️\n*You must first disclose to project maintainers according to their designated security policy.*\n\nVulnerabilities in the in-scope open source libraries must FIRST be responsibly reported, acknowledged, triaged, remediated and disclosed via Security Advisory or CVE by the project maintainers before submission to the IBB. \n\n**Eligibility Requirements**\n\n+ A Security Advisory has been published with the following information:\n  + An identifier (e.g., CVE, GHSA)\n  + A severity rating (e.g., CVSS)\n  + Acknowledgement of you as the Finder\n+ Project Maintainer has not reported a lack of professionalism \n\n## Step 3: Receive a payout! \nCongratulations! We are grateful for your dedication to securing the critical open source infrastructure we all use and depend upon.\n\nBounties are awarded following an 80/20 split model, where 80% of the reward is paid to the finder and 20% is paid to the OSS Project. \n\nWhy? Because we recognize that remediation is a critical component of the vulnerability lifecycle. This is often a thankless endeavor performed by overworked and underfunded volunteers working tirelessly to maintain OSS Projects. We believe that supporting their efforts in tandem is necessary to Empower the Community.\n\nThe [H1 IBB Team](mailto:ibb@hackerone.com) meets weekly to issue rewards for all eligible submissions.\n_________________________________________________________________\n# Want to help?\n## Nominate an Open Source Project! \nThe IBB’s mission involves continuously expanding the scope to cover all open source projects. We are prioritizing projects with widespread adoption and responsive security maintainers. If there’s a project you’d like to see in scope, please let us know and we will prioritize their inclusion.\n\nTo submit a nomination, email us the project information at ibb@hackerone.com and include any details that may help us understand why this project should be enrolled. Some examples of details to include are:\n+ Recently (or soon to be) published CVE for security research into the project\n+ Positive past experience with a responsive security maintainer\n+ Plans to continue security research into this project\n\nAlong with the above details, if you have any direct contacts you would like us to reach out to directly, feel free to include that information. If not, we will do our best to reach out to the right security contact at the project.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-09-08T18:44:50.044Z"},{"id":3661809,"new_policy":"# Welcome to the Internet Bug Bounty!\n\nThe Internet Bug Bounty is a crowdfunded bug bounty program that has been in operation since 2013, and in our book, with longevity comes renewal, reform, and expansion. So, in the spirit of constant improvement, we are happy to introduce the updated IBB program here.\n\nThe mission of the IBB is:\n+ **Secure Our Shared Software Components**: Incentivize security research into open source and software supply chain dependencies.\n+ **By Pooling Defenses**: Enable beneficiaries of open source to contribute to our collective security equitably.\n+ **From Discovery to Remediation**: Provide financial support to security researchers and the maintainers of open source, who often volunteer their talent.\n_________________________________________________________________\n# How it works\n## Step 1: Discovered a potential Vulnerability? Submit to the Project Maintainers first!\n\nIBB only pays bounty awards for vulnerabilities that have been responsibly reported, acknowledged, triaged, remediated and disclosed via Security Advisory or CVE.\n\nRemember that OSS Projects are supported by groups of dedicated, but overwhelmed volunteers. So, while every OSS Project in scope for IBB has agreed to a reasonable timeline to acknowledge vulnerability reports, the expectation is that the timeline overall will be extended compared to commercial bug bounty programs.\n\n**Be professional!** 💼 Any report of abuse or unprofessional conduct when working with OSS Project Maintainers will result in the finder being ineligible for the IBB bounty reward, at the sole discretion of the OSS Project Maintainers and/or the H1 IBB Team.\n\n## Step 2: Submit to IBB\n\n⚠️ *Do NOT submit unresolved vulnerabilities to the IBB!* ⚠️\n*You must first disclose to project maintainers according to their designated security policy.*\n\nVulnerabilities in the in-scope open source libraries must FIRST be responsibly reported, acknowledged, triaged, remediated and disclosed via Security Advisory or CVE by the project maintainers before submission to the IBB. \n\n**Eligibility Requirements**\n\n+ A Security Advisory has been published with the following information:\n  + An identifier (e.g., CVE, GHSA)\n  + A severity rating (e.g., CVSS)\n  + Acknowledgement of you as the Finder\n+ Project Maintainer has not reported a lack of professionalism \n\n## Step 3: Receive a payout! \nCongratulations! We are grateful for your dedication to securing the critical open source infrastructure we all use and depend upon.\n\nBounties are awarded following an 80/20 split model, where 80% of the reward is paid to the finder and 20% is paid to the OSS Project. \n\nWhy? Because we recognize that remediation is a critical component of the vulnerability lifecycle. This is often a thankless endeavor performed by overworked and underfunded volunteers working tirelessly to maintain OSS Projects. We believe that supporting their efforts in tandem is necessary to Empower the Community.\n\nThe [H1 IBB Team](mailto:ibb@hackerone.com) meets weekly to issue rewards for all eligible submissions.\n_________________________________________________________________\n# Want to help?\n## Nominate an Open Source Project! \nThe IBB’s mission involves continuously expanding the scope to cover all open source projects. We are prioritizing projects with widespread adoption and responsive security maintainers. If there’s a project you’d like to see in scope, please let us know and we will prioritize their inclusion.\n\nTo submit a nomination, email us the project information at ibb@hackerone.com and include any details that may help us understand why this project should be enrolled. Some examples of details to include are:\n+ Recently (or soon to be) published CVE for security research into the project\n+ Positive past experience with a responsive security maintainer\n+ Plans to continue security research into this project\n\nAlong with the above details, if you have any direct contacts you would like us to reach out to directly, feel free to include that information. If not, we will do our best to reach out to the right security contact at the project.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-16T20:52:46.387Z"},{"id":3658658,"new_policy":"# Welcome to the Internet Bug Bounty!\n\nThe Internet Bug Bounty is a crowdfunded bug bounty program that has been in operation since 2013, and in our book, with longevity comes renewal, reform, and expansion. So, in the spirit of constant improvement, we are happy to introduce the updated IBB program here.\n\nThe mission of the IBB is:\n+ **Secure Our Shared Software Components**: Incentivize security research into open source and software supply chain dependencies.\n+ **By Pooling Defenses**: Enable beneficiaries of open source to contribute to our collective security equitably.\n+ **From Discovery to Remediation**: Provide financial support to security researchers and the maintainers of open source, who often volunteer their talent.\n\n# How it works\n## Step 1: Discovered a potential Vulnerability? Submit to the Project Maintainers first!\n\nIBB only pays bounty awards for vulnerabilities that have been responsibly reported, acknowledged, triaged, remediated and disclosed via Security Advisory or CVE.\n\nRemember that OSS Projects are supported by groups of dedicated, but overwhelmed volunteers. So, while every OSS Project in scope for IBB has agreed to a reasonable timeline to acknowledge vulnerability reports, the expectation is that the timeline overall will be extended compared to commercial bug bounty programs.\n\n**Be professional!** 💼 Any report of abuse or unprofessional conduct when working with OSS Project Maintainers will result in the finder being ineligible for the IBB bounty reward, at the sole discretion of the OSS Project Maintainers and/or the H1 IBB Team.\n\n## Step 2: Submit to IBB\n\n⚠️ *Do NOT submit unresolved vulnerabilities to the IBB!* ⚠️\n*You must first disclose to project maintainers according to their designated security policy.*\n\nVulnerabilities in the in-scope open source libraries must FIRST be responsibly reported, acknowledged, triaged, remediated and disclosed via Security Advisory or CVE by the project maintainers before submission to the IBB. \n\n**Eligibility Requirements**\n\n+ A Security Advisory has been published with the following information:\n  + An identifier (e.g., CVE, GHSA)\n  + A severity rating (e.g., CVSS)\n  + Acknowledgement of you as the Finder\n+ Project Maintainer has not reported a lack of professionalism \n\n## Step 3: Receive a payout! \nCongratulations! We are grateful for your dedication to securing the critical open source infrastructure we all use and depend upon.\n\nBounties are awarded following an 80/20 split model, where 80% of the reward is paid to the finder and 20% is paid to the OSS Project. \n\nWhy? Because we recognize that remediation is a critical component of the vulnerability lifecycle. This is often a thankless endeavor performed by overworked and underfunded volunteers working tirelessly to maintain OSS Projects. We believe that supporting their efforts in tandem is necessary to Empower the Community.\n\nThe [H1 IBB Team](mailto:ibb@hackerone.com) meets weekly to issue rewards for all eligible submissions.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-21T13:10:52.672Z"}]