Bug Bounties – What Are They And Why They Work

One of the ways that the OSTIF supports open-source projects is via Bug Bounties. A bug bounty is a reward that is paid out to developers who find critical flaws in software. The bounty can be monetary reward, or being put into a “hall of fame” list for finding the bounty, or gear from the company giving the bounty, or any combination thereof. With open-source software, anyone in the world is free to comb through the code of an application and look for flaws.

We create monetary rewards to encourage researchers to comb through our supported projects. We will also maintain a page where we prominently display the names of researchers that have pinned down bugs and submitted them to us in a responsible manner.

The rules of responsible disclosure are as follows:

1. You must be finding a flaw in the supported application, not the machines Operating System or supporting software. The software must also be a current stable release or beta release that is widely used. 2. You must not break any laws. This means doing the related testing on your own equipment or with the explicit written permission of the owners of the equipment. 3. Employees of the OSTIF, members of the development team for the supported project, and their relatives and other interested parties are ineligible for cash bounties.
4. The OSTIF has discretionary control over any award and can choose not to reward vulnerabilities that are not significant or that are discovered by any means that violate any of the other rules in this list. 5. The OSTIF may give out partial rewards for small vulnerabilities, at it’s discretion. The severity of the vulnerability will depend on the opinion of the OSTIF and severity ratings by the National Vulnerability Database and the Common Vulnerabilities and Exposures rating. 6. All bounty-eligible submissions must be done responsibly. This means properly encrypting your messages and not disclosing the vulnerability to any parties outside of the developers of the supported project.
7. Any disclosures to supported projects must be transmitted via PGP or OTR encrypted communication. 8. You are responsible for any and all taxes related to a reward received from the OSTIF. 9. If you reside in a nation where there are currently economic sanctions from the United States, you cannot receive a reward from the OSTIF. This is to protect the OSTIF legally and has no bearing on how we regard the nations in question.
10. Your testing and other activities may not interrupt commercial services to any party. This specifically includes actions that may be legal inside your country of residence. 11. The bug must be new and not previously reported. 12. The bug must be remotely exploitable in a standard configuration, unless it is specifically noted otherwise in the bug bounty for the application in question.
13. The OSTIF will request outside verification for all parties that are applying for bounty pay. 14. OSTIF bounties will only be paid when the CVE is made public, and a patch is in place for the supported application. 15. This program may be amended or discontinued, without notice, at any time.

To submit a bug to a supported project:
Visit this page (bug bounty program not currently active)
The history of bug bounties and stories about how effective they are can be found on the Wiki here:

Companies that fund their own bug bounty programs:
Microsoft, Mozilla, Google, Facebook, Yahoo, AT&T, Paypal, Samsung, Github, Mega, Pinterest