039f0bc8fee69a1443dbf8aa804a54dbb1ba2c35 default


The Internet Bug Bounty Panel is awarding bounties for critical security vulnerabilities in popular, open source programming languages. Thanks to the hard work of the developers of these languages, uncovering vulnerabilities in this software is increasingly challenging. These bounties are our way of saying "Thanks" to the security researchers who take up this challenge.

Bounty Qualification

Only critical vulnerabilities that demonstrate complete compromise of the system's integrity or confidentiality are eligible for a bounty - typically Arbitrary Code Execution or equivalent impact. While we encourage you to submit all potential issues, lower severity issues are not in scope at this time.

Impact Amount
High Demonstrate that remote exploitation of this bug can be easily, actively, and reliably achieved. $1,500+
Medium Demonstrate that remote exploitation of this bug is very likely (e.g. good control a register). $1,000
Minimum Demonstrate the presence of a security bug with probable remote exploitation potential. $500

Only vulnerabilities in the core Python programming language and standard library will be considered for eligibility. Submissions related to python.org and other project websites are explicitly NOT eligible.

The project maintainers have final decision on which issues constitute security vulnerabilities. The Panel will respect their decision, and we ask that you do as well.

It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.

Submission Process

  • Disclose a previously unknown security vulnerability directly to the project maintainers.
  • Follow the disclosure process established by the project maintainers.
  • Clearly demonstrate the security vulnerability. Respect the time of the project volunteers as they cannot invest significant effort into incomplete reports. Low-quality reports may be disqualified.
  • Once a public security advisory has been issued, please contact us at panel@internetbugbounty.org. You must not send us the details of the vulnerability until it has been validated, accepted, and publicly disclosed by the project maintainers.
Python published their program on HackerOne.
Almost 2 years ago
  • $500
    Minimum bounty
  • 8
    Hackers thanked
  • 15
    Reports closed