VOOZH about

URL: https://glama.ai/mcp/servers/Lissy93/bug-bounties

⇱ bug-bounties by Lissy93 | Glama

Top Programs

About

The objective of this repo is to provide a centralized listing of public bounty programs, along with contact details and rewards. Which can either be browsed via the website or integrated into your workflow using MCP server or API.

We maintain a directory of independently-run programs in independent-programs.yml, and we also aggregate data from public sources (such as HackerOne, Bugcrowd, Intigriti, YesWeHack, Federacy, Disclose, etc), which is then normalized, deduplicated, validated against a schema, and merged into platform-programs.yml.

graph LR
 A[Public Sources] -->|fetch| B[Normalize & Dedup]
 B --> C1[Validate]
 C1 --> D[platform-programs.yml]
 G[Community Submissions] -->|issue form| C2[Validate]
 C2 --> H[independent-programs.yml]
 D --> I[API + MCP]
 H --> I
 D --> F[Website]
 H --> F
 D --> E[README]
 H --> E
 style A fill:#8037e0,stroke:#360a70,color:#fff
 style G fill:#8037e0,stroke:#360a70,color:#fff
 style B fill:#334155,stroke:#1e293b,color:#fff
 style C1 fill:#3bc964,stroke:#185c2b,color:#0c121a
 style C2 fill:#3bc964,stroke:#185c2b,color:#0c121a
 style D fill:#fdc500,stroke:#9e7b06,color:#0c121a
 style H fill:#fdc500,stroke:#9e7b06,color:#0c121a
 style E fill:#2ebdfa,stroke:#0f6b8f,color:#0c121a
 style F fill:#2ebdfa,stroke:#0f6b8f,color:#0c121a
 style I fill:#2ebdfa,stroke:#0f6b8f,color:#0c121a

Submitting a Program

To include a new self-managed CVD or bug bounty program to the website, add it to independent-programs.yml (in alphabetical order by company name). Either, fork the repo add you entry(s) and then open a PR, or just open an issue or fill in this form, and we will add it for you.

Required fields are company and url, all others are optional

Field

Type

Required

Description

company

string

Yes

Company or program owner name

url

URL

Yes

Canonical program or security page URL

contact

string

No

Contact URL (mailto: or https://)

rewards

array

No

Reward types: *bounty, *recognition, *swag

description

string

No

Short program description (max 500 chars)

program_type

enum

No

bounty, vdp, or hybrid

status

enum

No

active or paused

Scope

domains

array

No

In-scope domains (flat list shorthand)

scope

array

No

Structured targets: {target, type} where type is one of web, mobile, api, hardware, iot, network, cloud, desktop, other

out_of_scope

array

No

Explicitly excluded targets or categories

Payouts

min_payout

number

No

Minimum payout amount

max_payout

number

No

Maximum payout amount

currency

string

No

Payout currency code (for example USD)

payout_table

object

No

Per-severity max amounts: {critical, high, medium, low}

Rules

testing_policy_url

URL

No

Link to full testing rules

excluded_methods

array

No

Forbidden techniques such as dos, social_engineering, phishing, physical_access, automated_scanning

requires_account

boolean

No

Whether testing requires an account

Disclosure

safe_harbor

enum

No

full or partial

allows_disclosure

boolean

No

Whether researchers may publish findings

disclosure_timeline_days

number

No

Coordinated disclosure window in days

response_sla_days

number

No

Committed acknowledgment time in business days

Legal & Recognition

legal_terms_url

URL

No

Link to participation terms

hall_of_fame_url

URL

No

Link to researcher acknowledgments page

swag_details

string

No

Description of swag offered (max 200 chars)

reporting_url

URL

No

Submission endpoint if different from url

Communication

pgp_key

string

No

URL to PGP key

preferred_languages

string

No

Preferred report languages

standards

array

No

Standards followed, for example ISO 29147, disclose.io

Bare Minimum:

- company: Example Corp
 url: https://example.com/security

Full:

- company: Example Corp
 url: https://example.com/security
 contact: mailto:security@example.com
 rewards:
 - '*bounty'
 program_type: bounty
 status: active
 min_payout: 100
 max_payout: 10000
 currency: USD
 payout_table:
 critical: 10000
 high: 5000
 medium: 1000
 low: 100
 safe_harbor: full
 allows_disclosure: true
 disclosure_timeline_days: 90
 response_sla_days: 3
 scope:
 - target: '*.example.com'
 type: web
 - target: Example Mobile App
 type: mobile
 out_of_scope:
 - Third-party services
 - Staging environments
 excluded_methods:
 - dos
 - social_engineering
 - phishing
 hall_of_fame_url: https://example.com/security/thanks
 preferred_languages: English
 standards:
 - ISO 29147
 description: Short description of the program scope and rules.

Using the Data

Mirror

A mirror of this repo and all data is published to CodeBerg, at: codeberg.org/alicia/bug-bounties

Developer Usage

Start by clone the repo with git clone git@github.com:Lissy93/bug-bounties.git && cd bug-bounties

Data Aggregation

  1. make install - Setup environment and install dependencies (from requirements.txt)

  2. make populate - Fetch the latest directory of programs, format, and write to platform-programs.yml

  3. make validate - Verify and validate platform-programs.yml and independent-programs.yml against the schema.json

  4. make readme - Generate and insert a summarized list of programs into the README.md

Website

  1. cd web to navigate into the web/ directory

  2. npm i to install dependencies

  3. npm run dev to start the development server

  4. npm run build to build the production site

Deployment

  • Option 1) Upload the content of web/dist/ into any web server, static hosting provider or CDN

  • Option 2) Import the project into Vercel or Netlify directly, where it will be automatically deployed

  • Option 3) For Docker, run docker run -p 8080:8080 ghcr.io/lissy93/bug-bounties:latest

Alternatively, all the above tasks can be run directly using GitHub Actions. Simply fork the project, and trigger the workflow(s).

Credits

Sponsors

Huge thanks to the following kind people, for their ongoing support in funding this, and other of my projects via GitHub Sponsors

πŸ‘ Sponsors

Contributors

πŸ‘ Top Contributors

Attributions

Data Sources

Core Dependencies

License

Lissy93/Bug-Bounties is licensed under MIT Β© Alicia Sykes 2023 - 2026. For information, see TLDR Legal > MIT

The MIT License (MIT)
Copyright (c) Alicia Sykes <alicia@omg.com> 

Permission is hereby granted, free of charge, to any person obtaining a copy 
of this software and associated documentation files (the "Software"), to deal 
in the Software without restriction, including without limitation the rights 
to use, copy, modify, merge, publish, distribute, sub-license, and/or sell 
copies of the Software, and to permit persons to whom the Software is furnished 
to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included install 
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANT ABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NON INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
A
license - permissive license
-
quality - not tested
A
maintenance

Maintenance

–Maintainers
<1hResponse time
–Release cycle
–Releases (12mo)
Commit activity
Issues opened vs closed

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Lissy93/bug-bounties'

If you have feedback or need assistance with the MCP directory API, please join our Discord server