77fac9fb1e4cc9747b12ae610192be953993859f default


  • $500
    Minimum bounty
  • 1
    Hacker thanked
  • 2
    Bugs closed

Top Hackers

Latest Thanks To

Nginx is a free, open-source, high-performance HTTP server and reverse proxy. It powers some of the most important sites on the web, making it an undeniably critical piece of internet infrastructure. The project has a strong security track record and uncovering potential vulnerabilities is increasingly difficult. These bounties are our way of saying "Thanks" to the security researchers who take up this challenge.

Bounty Qualification

The project maintainers have final decision on which issues constitute security vulnerabilities. The Panel will respect their decision, and we ask that you do as well. Our rewards are tied to the severity level as determined by the project.

  • Major (with RCE): $3,000 ($6,000 with patch)
  • Major: $1,500 ($3,000 with patch)
  • Medium: $500 ($1,000 with patch)
  • Minor: N/A

It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.

Submission Process

  • Disclose a previously unknown security vulnerability directly to the project maintainers.
  • Follow the disclosure process established by the project maintainers.
  • Clearly demonstrate the security vulnerability. Respect the time of the project volunteers as they cannot invest significant effort into incomplete reports. Low-quality reports may be disqualified.
  • Finding the vulnerability is only half the battle, so we'll award a matching bounty for an accepted patch. We encourage you to fully investigate the issue, adhere to the project's code quality standards, and submit a patch. Otherwise, we'll donate the additional bounty to the Nginx project or a non-profit chosen by the project maintainers.
  • Once a public security advisory has been issued, please contact us at ibb-panel@hackerone.com. You must not send us the details of the vulnerability until it has been validated, accepted, and publicly disclosed by the project maintainers.
The Internet Bug Bounty rewarded lmolas with a $3,000 bounty for a Nginx bug: SPDY heap buffer overflow.
23 days ago
The Internet Bug Bounty rewarded lmolas with a $3,000 bounty for a Nginx bug: SPDY memory corruption.
23 days ago
Nginx has started using HackerOne.
4 months ago