We fund
open source security.
We pay security researchers for finding vulnerabilities in any GitHub repository and maintainers for fixing them.
90% of users
Got their first CVE
1.7 CVEs
Avg. per user
3.6 bounties per user
Avg. monthly winnings
Protecting 1000+ repos
Protecting open source software
The world's largest bug bounty programme
Reverse Bounties
Supporting those who find vulnerabilities, as well as those who fix them.
Submit a vulnerability
Global Recognition
All valid reports are eligible for a CVE and are made into public write-ups.
Browse the community’s latest finds
Millions of targets
With an almost unlimited scope, you won't have to worry about duplicates again!
Find a target
Our process
The story of vulnerability disclosure, from start to finish
1. Disclosure
The researcher finds a potential vulnerability in open-source and reports it through our disclosure form
2. Notification
The maintainer is notified of the report via. email or GitHub communication
3. Validation
The maintainer validates the vulnerability
4. Reward
The researcher is awarded the disclosure bounty for their successful vulnerability report
5. Fix
The maintainer submits a fix for the vulnerability and is awarded a fix bounty
6. CVE
The researcher's report will be assigned a CVE (within one hour!) if the vulnerability is found in the top 40% most popular open-source repositories