Some of the most critical vulnerabilities in the Internet's history have been resolved thanks to efforts of researchers fueled entirely by curiosity and altruism. We owe these individuals an enormous debt and believe it is our duty to do everything in our power to demonstrate how much this research is appreciated. To that end, the Internet Bug Bounty Panel will award public research into vulnerabilities with the potential for severe security implications to the public.
Simply put: hack all the things, send us the good stuff, and we'll do our best to reward you.
The Fine Print
To qualify, vulnerabilities should meet most of the following criteria:
- Be vendor agnostic: vulnerability is present in implementations from multiple vendors or a vendor with dominant market share. Do not send us vulnerabilities that only impact a single website, product, or project.
- Be widespread: vulnerability manifests itself across a wide range of products, or impacts a large number of end users.
- Be severe: vulnerability has extreme negative consequences for the general public.
- Be novel: vulnerability is new or unusual in an interesting way.
The Panel will gladly assist with the coordinated disclosure of any potential vulnerabilities. However, we recognize that we will not be the most effective avenue in all circumstances. We will gladly consider rewards for vulnerabilities that have been publicly disclosed through some other means, provided they adhered to our disclosure guidelines.
It's important to keep in mind that not all submissions will qualify for a bounty. The decision to award a bounty is entirely at the discretion of the Internet Bug Bounty Panel.
We provide the following examples of publicly disclosed vulnerabilities that we would have rewarded:
- SSL blockwise chosen-boundary attack, aka BEAST
- DNS Insufficient Socket Entropy Vulnerability
- Debian predictable PRNG
- Sotirov, et al. MD5 Collision attack against PKI
- Minimum reward of $5,000 with significantly higher rewards granted at the Panel's discretion
Thanks @AllieBrosh for personifying our mission