Vercel Open Source
Bounty Range
$50 - $400
external program
Vercel Open Source
Program guidelines
We appreciate your interest in helping secure Vercel’s open source projects. This program exists to support responsible security research and strengthen the open source software relied on by millions of developers.
To ensure that your report is triaged quickly, please review the full policy carefully, including the defined scope and exclusions and submit detailed, reproducible findings in accordance with [https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards](HackerOne’s submission guidelines).
This policy incorporates best practices from the [https://hackerone.com/security/safe_harbor?type=team](HackerOne Safe Harbor Framework) and is designed to provide clear legal and ethical guidelines for researchers acting in good faith.
Rewards and reports acceptance are determined at Vercel’s discretion and are based on the demonstrated impact and severity of the vulnerability,
Gold Standard Safe HarborAdheres to Gold Standard Safe Harbor. [https://docs.hackerone.com/en/articles/8494525-gold-standard-safe-harbor-statement](
)
Platform StandardsFully compliant with Platform Standards. [https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards#h_e01bc643a8](
)
Coordinated Vulnerability DisclosureStandard [https://docs.hackerone.com/en/articles/9829406-coordinated-vulnerability-disclosure](
)
Top Response EfficiencyThis program's response efficiency is above 90%. [https://docs.hackerone.com/en/articles/8490880-response-target-indicators](
)
Managed by HackerOneCollaboration EnabledIncludes Retesting
1 day, 7 hours Average time to first response
1 day, 23 hours Average time to triage
1 week, 6 days Average time to bounty
2 weeks, 1 day Average time from submission to bounty
3 weeks, 2 days Average time to resolution
Last updated on February 20, 2026. [/vercel-open-source/bounty_table_versions](View changes
)
Each severity lists the 90-day average bounty and the percentage of total resolved reports, if applicable.
LowAvg. bounty $34829.63% submissions
MediumAvg. bounty $1,24048.15% submissions
HighAvg. bounty $5,90918.52% submissions
CriticalAvg. bounty $10,0003.70% submissions
LowAvg. bounty $34829.63% submissions
MediumAvg. bounty $1,24048.15% submissions
HighAvg. bounty $5,90918.52% submissions
CriticalAvg. bounty $10,0003.70% submissions
Tier 3
$50–$150
$200–$300
$325–$400
$400–$500
Tier 2
$50–$200
$250–$500
$750–$2,500
$2,750–$5,000
Tier 1
$200–$500
$550–$1,000
$1,250–$5,000
$5,250–$10,000
Bounties will be awarded at Vercel’s discretion, based on severity (using CVSS 4.0), real-world impact, and report quality. Bonus modifiers will apply for certain high-value findings.
For more information on what assets belong in which Tier, please see the '#user-content-scope' section in the policy below.
Core Ineligible Findings are out of scope. [https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings](Learn more
)Category Exclusion details
Last updated on February 24, 2026. [/vercel-open-source/policy_versions](View changes
)
Vercel looks forward to working with the security community to find vulnerabilities in our open source projects in order to keep our ecosystem and users safe. This program covers core Vercel open source projects that power modern web development.
[https://nextjs.org/docs](Next.js Documentation)
[https://nuxt.com/modules](Nuxt Documentation)
[https://turbo.build/](Turborepo Documentation)
[https://swr.vercel.app/](SWR Documentation)
[https://sdk.vercel.ai/](AI SDK Documentation)
Server-side rendering and build-time security
Compiler security and code injection
Build system integrity and supply chain
Data fetching and caching mechanisms
AI model integration security
https://github.com/vercel/next.js - React framework for production web applications
https://github.com/nuxt/nuxt - Vue.js framework for building performant web applications
https://github.com/vercel/swr - React Hooks library for data fetching
https://github.com/sveltejs/svelte - Compiler for building user interfaces
https://github.com/sveltejs/kit - A framework for rapidly developing robust, performant web applications using Svelte
https://github.com/vercel/turborepo - High-performance build system for monorepos
[https://github.com/vercel/ai](AI SDK) - TypeScript toolkit for AI applications
https://github.com/vercel/vercel - Vercel CLI
https://github.com/vercel/workflow - Framework for adding durability, reliability, and observability to async JavaScript. Build apps and AI agents
https://github.com/vercel/flags - The feature flags toolkit for Next.js and SvelteKit
https://github.com/vercel/ms - Package for easily converting time formats to milliseconds
https://github.com/nitrojs/nitro - Next Generation Server Toolkit
https://github.com/vercel/async-sema - A semaphore implementation for use with async and await
https://github.com/vercel-labs/skills - The CLI for the open agent skills ecosystem
Vulnerabilites on Vercel maintained/sponsored websites supporting tier 1 projects (eg. http://nextjs.org , ...)
We use CVSS 4.0 scoring with adjustments for:
Real-world exploitability in typical deployment scenarios
Impact on the broader ecosystem
Ease of exploitation and attack complexity
Default vs. non-default configuration requirements
Severity reduction in cases reliant on experimental features or “development mode”
Bonus Modifiers (up to 100%!)
+50%: Vulnerabilities affecting multiple projects in the ecosystem
+25%: High-quality reports with suggested patches or mitigation
+25%: Vulnerabilities in core security features
[https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings](Core Ineligible Findings) are out of scope
Third-party dependencies (unless misused by the project)
End of Life (EoL) or deprecated software versions
Archived repositories
Misuse of 3rd party by project
Projects no longer under active development or maintenance
Issues inherited from a fork are out of scope unless direct impact on Vercel, Vercel customers, or project users can be shown
Templates, examples, starter projects, and documentation code snippets
Community infrastructure (Discord, GitHub Discussions, etc.)
Personal websites/blogs of maintainers
Social engineering attacks
Issues requiring destructive testing
Documentation / code examples
Content modification (wikis are intentionally editable)
SWC: Rust standard library or LLVM vulnerabilities
Next.js: Cloud provider-specific deployment issues (report these to our main program if on Vercel platform)
Nuxt: Cloud provider-specific deployment issues (report these to our main program if on Vercel platform)
Svelte/Sveltekit: Cloud provider-specific deployment issues (report these to our main program if on Vercel platform)
Skills: Malicious skills not relating to vulnerabilities in the skills infrastructure or skills application
[Added November 2025] No testing on production systems or services: Researchers must NOT conduct proof-of-concept testing or active exploitation directly against Vercel owned production repositories including:
Live Vercel services
Vercel owned Production websites or APIs
Deployed customer environments
CI/CD in Vercel maintained repositories
Vercel owned infrastructure
Detailed reports required: Please provide detailed reports with reproducible steps and a zip artifact containing proof-of-concept code. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
One vulnerability per report: Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
Duplicates: When duplicates occur, we award the first valid report against a currently supported version (provided it can be fully reproduced).
Root cause consolidation: Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. Reports addressing the same issue will be marked as duplicates if the previously rolled-out patch works for the submitted affected version. However, if the patch doesn't work on the submitted affected version, it may be considered for a bounty reward at Vercel’s discretion.
No social engineering: Social engineering (e.g., phishing, vishing, smishing) is prohibited.
Good faith testing: Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of services.
Do not access more data than necessary for a proof of vulnerability.
Stop immediately if you encounter personal data/secrets; do not download; redact.
Do not attempt to achieve, or maintain, persistence on any Vercel owned system.
Scanner rate limits: When testing explicitly in-scope Vercel-operated assets, Security scanners must be limited to 5 queries per second (QPS) when testing against Vercel domains to avoid service disruption.
Account ownership: Only interact with accounts you own or with the explicit written permission of the account holder.
Do not damage, cause disruption, access data, or modify data on any systems you are not authorized to test on (including all Vercel systems and services).
All tests performed must not violate any law or compromise data that you do not own.
Do not make any threats against or towards Vercel or HackerOne staff.
Do not submit AI generated reports without first reviewing and confirming real impact and verifying a working Proof-of-Concept.
Use standard development environments and officially documented setup procedures
Test against the latest stable releases unless investigating specific version issues
Please use your HackerOne alias email when creating test accounts if needed (mailto:[email protected])
Focus on the source code and documented functionality rather than specific deployment configurations
Please ensure you are submitting the correct affected version(s) of the code. You will be required to fill out a field called ‘Affected version(s)’
All vulnerability reports must include a zip file containing working proof-of-concept code that demonstrates the issue in the affected version(s). Reports without demonstration artifacts will not be eligible for bounty consideration.
In cases where a PoC is not feasible, detailed reproduction steps or minimal test cases may be accepted at Vercel’s discretion and not without Vercel’s approval.
Include any other helpful PoCs such as screenshots, videos, etc. when applicable
Suggestions for patches or mitigation are optional but can warrant a bonus at Vercel’s discretion.
Participation in this program is conditional on confidentiality obligations. By submitting a report, you agree to the following:
Confidential Information includes all, but is not limited to, all vulnerability reports, proof-of-concept code, communications with Vercel, program documentation, and any related materials shared or generated through your participation.
You may only use Confidential Information for the purpose of participating in this program.
You may not disclose Confidential Information to any third party without Vercel’s express written consent, except to authorized Vercel employees, or contractors who have a legitimate need to know and are bound by equivalent confidentiality obligations.
You must keep all Confidential Information secure and promptly notify Vercel if you become aware of a breach.
You must securely delete Confidential Information within 30 days of Vercel’s written request, except where retention is required for legal or compliance reasons.
Confidentiality obligations last for two (2) years from the date of disclosure, even if this program ends or your participation ceases.
Disclosure of vulnerabilities, including resolved issues, will be at Vercel’s discretion and coordinated with the researcher. Vercel aims to post advisories on applicable repositories after appropriate remediation and coordination periods.
Researchers must respect all applicable laws and the community standards outlined in the [https://github.com/vercel/vercel/blob/main/.github/CODE_OF_CONDUCT.md](Vercel Code of Conduct). Any behavior that violates this Code may result in disqualification from the program and forfeiture of bounty eligibility.
Researchers must also follow [https://www.hackerone.com/terms/disclosure-guidelines](HackerOne’s disclosure guidelines). Where there is any conflict between those guidelines and this Policy, this Policy prevails.
Breach of these obligations will result in disqualification from the program and forfeiture of eligibility for rewards.
CVEs will be provided at Vercel’s discretion, but vulnerabilities must meet the following minimum requirements for consideration:
Lead to action on a tier 1 repository with an adjusted CVSS score of at least 3.8
Lead to action on a tier 2 repository with an adjusted CVSS score of at least 7.0
Vulnerability must be present in distributable code (npm, pypi, or similar)
Vulnerability must not be reliant on an experimental feature or “development mode”
Reports given a CVE will be made public 30 days after the CVE’s publication (subject to variability at Vercel’s discretion)
Vercel will make a best effort to meet the following response targets:
Time to first response (from report submitted): 1 business day
Time to triage (from report submitted): 7 business days
Time to bounty decision (from triage): 10 business days
We’ll try to keep you informed of our progress throughout the process
Vercel employees and contractors (past or present)
Maintainers/contributors of Vercel Sponsored projects (past or present)
Immediate family members of Vercel employees
Individuals involved in the vulnerability discovery or fix
HackerOne staff working on this program
HackerOne Support
Thank you for helping keep Vercel’s open source ecosystem and developer community safe! We value your contributions to OSS security.
[/vercel-open-source/thanks](See all hackers
)
1
/aphantom?type=userReputation: 187
2
/andrewmohawk?type=userReputation: 180
3
/adnanthekhan?type=userReputation: 175
4
/sndd?type=userReputation: 129
5
/jviide?type=userReputation: 120
6
/aviv_keller?type=userReputation: 116
7
/hellnia?type=userReputation: 114
8
/cswiers?type=userReputation: 88
9
/bjorm?type=userReputation: 79
10
/mxnd?type=userReputation: 70
11
/mister_mime?type=userReputation: 66
12
/geeknik?type=userReputation: 66
Vercel Open Source
https://vercel.com/ Bug Bounty Program launched in Feb 2026
Response efficiency: 92%
[/vercel-open-source/reports/new?type=team&report_type=vulnerability](
Submit without Report Assistant
)
Severity
Rewards
Severity
Rewards
LowAvg. bounty $34829.63% submissions
$50–$500
MediumAvg. bounty $1,24048.15% submissions
$200–$1,000
HighAvg. bounty $5,90918.52% submissions
$325–$5,000
CriticalAvg. bounty $10,0003.70% submissions
$400–$10,000
Total bounties paid | $145,733 | Average bounty range | $721 - $907 | Top bounty range | $5,000 - $10,250 | Bounties paid | 90 days | $120,583 | Reports received | 90 days | 2761 | Last report resolved | 8 days ago | Reports resolved | 56 | Hackers thanked | 190 | Assets In Scope | 17 |
© HackerOne