Welcome to the Internet Bug Bounty!

The Internet Bug Bounty is a crowdfunded bug bounty program that has been in operation since 2013, and in our book, with longevity comes renewal, reform, and expansion. So, in the spirit of constant improvement, we are happy to introduce the updated IBB program here.

The mission of the IBB is:

• Secure Our Shared Software Components: Incentivize security research into open source and software supply chain dependencies.
• By Pooling Defenses: Enable beneficiaries of open source to contribute to our collective security equitably.
• From Discovery to Remediation: Provide financial support to security researchers and the maintainers of open source, who often volunteer their talent.

---

How it works

Step 1: Discovered a potential Vulnerability? Submit to the Project Maintainers first!

IBB only pays bounty awards for vulnerabilities that have been responsibly reported, acknowledged, triaged, remediated and disclosed via Security Advisory or CVE. If there are multiple reporters of a vulnerability acknowledged within the security advisory, only the first reporter (as recognized by the project maintainers), will be eligible for bounty.

Remember that OSS Projects are supported by groups of dedicated, but overwhelmed volunteers. So, while every OSS Project in scope for IBB has agreed to a reasonable timeline to acknowledge vulnerability reports, the expectation is that the timeline overall will be extended compared to commercial bug bounty programs.

Be professional! 💼 Any report of abuse or unprofessional conduct when working with OSS Project Maintainers will result in the finder being ineligible for the IBB bounty reward, at the sole discretion of the OSS Project Maintainers and/or the H1 IBB Team.

Step 2: Submit to IBB

⚠️ Do NOT submit unresolved vulnerabilities to the IBB! ⚠️ You must first disclose to project maintainers according to their designated security policy.

Vulnerabilities in the in-scope open source libraries must FIRST be responsibly reported, acknowledged, triaged, remediated and disclosed via Security Advisory or CVE by the project maintainers before submission to the IBB.

Eligibility Requirements

• A Security Advisory has been published with the following information:
  • An identifier (e.g., CVE, GHSA)
  • A severity rating (e.g., CVSS)
  • Acknowledgement of you as the Finder
• Project Maintainer has not reported a lack of professionalism

Step 3: Receive a payout!

Congratulations! We are grateful for your dedication to securing the critical open source infrastructure we all use and depend upon.

Bounties are awarded following an 80/20 split model, where 80% of the reward is paid to the finder and 20% is paid to the OSS Project.

Why? Because we recognize that remediation is a critical component of the vulnerability lifecycle. This is often a thankless endeavor performed by overworked and underfunded volunteers working tirelessly to maintain OSS Projects. We believe that supporting their efforts in tandem is necessary to Empower the Community.

The H1 IBB Team meets monthly to issue rewards for all eligible submissions.

---

Want to help?

Nominate an Open Source Project!

The IBB’s mission involves continuously expanding the scope to cover all open source projects. We are prioritizing projects with widespread adoption and responsive security maintainers. If there’s a project you’d like to see in scope, please let us know and we will prioritize their inclusion.

To submit a nomination, email us the project information at [email protected] and include any details that may help us understand why this project should be enrolled. Some examples of details to include are:

• Recently (or soon to be) published CVE for security research into the project
• Positive past experience with a responsive security maintainer
• Plans to continue security research into this project

Along with the above details, if you have any direct contacts you would like us to reach out to directly, feel free to include that information. If not, we will do our best to reach out to the right security contact at the project.