Open Bug Bounty

Open Bug Bounty is a non-profit bug bounty platform established in 2014. The coordinated vulnerability disclosure platform allows independent security researchers to report XSS and similar security vulnerabilities on any website they discover using non-intrusive security testing techniques. The researchers may choose to make the details of the vulnerabilities public in 90 days since vulnerability submission or to communicate them only to the website operators. The program's expectation is that the operators of the affected website will reward the researchers for making their reports.

Program
Unlike commercial bug bounty programs, Open Bug Bounty is a non-profit project and does not require payment by either the researchers or the website operators. Any bounty is a matter of agreement between the researchers and the website operators. Heise.de identified the potential for the website to be a vehicle for blackmailing website operators with the threat of disclosing vulnerabilities if no bounty is paid, but reported that Open Bug Bounty prohibits this.

Open Bug Bounty was launched by private security enthusiasts in 2014, and as of February 2017 had recorded 100,000 vulnerabilities, of which 35,000 had been fixed. It grew out of the website XSSPosed, an archive of cross-site scripting vulnerabilities.

In February 2018, the platform had 100,000 fixed vulnerabilities using coordinated disclosure program based on ISO 29147 guidelines.

Up to the end of 2019, the platform reported 272,020 fixed vulnerabilities using coordinated disclosure program based on ISO 29147 guidelines.