Frequently Asked Questions

Why run an Internet Bug Bounty program?

Our collective safety is only possible when public security research is allowed to flourish. Some of the most critical vulnerabilities in the internet's history have been resolved thanks to efforts of researchers fueled entirely by curiosity and altruism. We owe these individuals an enormous debt and believe it is our duty to do everything in our power to cultivate a safe, rewarding environment for past, present, and future researchers.

Who is running the Internet Bug Bounty?

The Internet Bug Bounty program is administered by an independent panel of security experts from the community. The Panel is responsible for defining the rules of the program, allocating bounties to where additional security research is needed most, and mediating any disagreements that might arise.

How is the program funded?

The Internet Bug Bounty program is sponsored by individuals and organizations who genuinely care about our collective security. Their contributions directly fund the bounties paid to finders with no portion going to the Panel or administration: 100% goes to finders. Sponsors do not have any special access or rights to vulnerability data. If you'd like to sponsor security research, let us know!

What types of bugs qualify for bounties?

First, make certain you follow our general guidelines for vulnerability disclosure. Next, each Security Team has a unique set of criteria for what bugs are in scope along with any special rules they'd like you to adhere to. Be certain to carefully read each individual team page before beginning any research or testing on their products.

Who decides how much each bounty is?

The Panel may provide general guidance on bounties, but the appropriate Security Teams will assess each individual report to determine its bounty eligibility. The Panel is available to meditate any disagreements that may arise.

I'm a contributor to an open source project. Am I eligible?

Yes! However, we have two simple caveats: your involvement with the project is a labor of love as an unpaid volunteer, and you did not author or review the blamed commit.

What about software or services where the vendor already has a bounty program?

Where the vendor already has a reasonable bounty program in place, we request that you contact the vendor directly.

Can I report the bug to you via a third-party broker?

No. It is unacceptable to share the vulnerability with anyone without the explicit consent of the Security Team.

Can I report the bug directly to the Security Team?

In most cases, yes. Please review the Security Team's profile for specifics on their accepted routes for submission.

How is IBB different from CII (Core Infrastructure Initiative)?

While IBB and CII have very similar goals, they are distinct, yet complementary in nature. CII enables technology companies to collaboratively identify and fund open source projects that are in need of assistance, while allowing the developers to continue their work under the community norms that have made open source so successful. IBB helps reward security research that results in identification of vulnerabilities in open source projects and other critical software that supports the Internet stack.

Are donations to the IBB tax deductible?

The Internet Bug Bounty is incorporated as a not-for-profit organization, but is still in the process of applying for federal tax-exempt status under IRS 501(c)(3). As such, donations to the IBB are not tax deductible at this time.