Submit
Lissy93

bug-bounties

Community Lissy93
Updated

⚔️ A compiled list of companies who have active programs for responsible disclosure. MCP-enabled.

A compiled list of companies who accept responsible disclosure 🔎 Browse All Programs | Submit New Program

Top Programs

Expand List Key: 💰 = bounty. 🏅 = shout-out. 🎁 = swag.View full list and details at bug-bounties.as93.net
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
#

About

The objective of this repo is to provide a centralized listing of public bounty programs, along with contact details and rewards.Which can either be browsed via the website or integrated into your workflow using MCP server or API.

We maintain a directory of independently-run programs in independent-programs.yml, and we also aggregate data from public sources (such as HackerOne, Bugcrowd, Intigriti, YesWeHack, Federacy, Disclose, etc), which is then normalized, deduplicated, validated against a schema, and merged into platform-programs.yml.

graph LR
    A[Public Sources] -->|fetch| B[Normalize & Dedup]
    B --> C1[Validate]
    C1 --> D[platform-programs.yml]
    G[Community Submissions] -->|issue form| C2[Validate]
    C2 --> H[independent-programs.yml]
    D --> I[API + MCP]
    H --> I
    D --> F[Website]
    H --> F
    D --> E[README]
    H --> E
    style A fill:#8037e0,stroke:#360a70,color:#fff
    style G fill:#8037e0,stroke:#360a70,color:#fff
    style B fill:#334155,stroke:#1e293b,color:#fff
    style C1 fill:#3bc964,stroke:#185c2b,color:#0c121a
    style C2 fill:#3bc964,stroke:#185c2b,color:#0c121a
    style D fill:#fdc500,stroke:#9e7b06,color:#0c121a
    style H fill:#fdc500,stroke:#9e7b06,color:#0c121a
    style E fill:#2ebdfa,stroke:#0f6b8f,color:#0c121a
    style F fill:#2ebdfa,stroke:#0f6b8f,color:#0c121a
    style I fill:#2ebdfa,stroke:#0f6b8f,color:#0c121a

Submitting a Program

To include a new self-managed CVD or bug bounty program to the website, add it to independent-programs.yml (in alphabetical order by company name).Either, fork the repo add you entry(s) and then open a PR, or just open an issue or fill in this form, and we will add it for you.

Fields reference

Required fields are company and url, all others are optional

Field Type Required Description
company string Yes Company or program owner name
url URL Yes Canonical program or security page URL
contact string No Contact URL (mailto: or https://)
rewards array No Reward types: *bounty, *recognition, *swag
description string No Short program description (max 500 chars)
program_type enum No bounty, vdp, or hybrid
status enum No active or paused
Scope
domains array No In-scope domains (flat list shorthand)
scope array No Structured targets: {target, type} where type is one of web, mobile, api, hardware, iot, network, cloud, desktop, other
out_of_scope array No Explicitly excluded targets or categories
Payouts
min_payout number No Minimum payout amount
max_payout number No Maximum payout amount
currency string No Payout currency code (for example USD)
payout_table object No Per-severity max amounts: {critical, high, medium, low}
Rules
testing_policy_url URL No Link to full testing rules
excluded_methods array No Forbidden techniques such as dos, social_engineering, phishing, physical_access, automated_scanning
requires_account boolean No Whether testing requires an account
Disclosure
safe_harbor enum No full or partial
allows_disclosure boolean No Whether researchers may publish findings
disclosure_timeline_days number No Coordinated disclosure window in days
response_sla_days number No Committed acknowledgment time in business days
Legal & Recognition
legal_terms_url URL No Link to participation terms
hall_of_fame_url URL No Link to researcher acknowledgments page
swag_details string No Description of swag offered (max 200 chars)
reporting_url URL No Submission endpoint if different from url
Communication
pgp_key string No URL to PGP key
preferred_languages string No Preferred report languages
standards array No Standards followed, for example ISO 29147, disclose.io
Example entry

Bare Minimum:

- company: Example Corp
  url: https://example.com/security

Full:

- company: Example Corp
  url: https://example.com/security
  contact: mailto:[email protected]
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  min_payout: 100
  max_payout: 10000
  currency: USD
  payout_table:
    critical: 10000
    high: 5000
    medium: 1000
    low: 100
  safe_harbor: full
  allows_disclosure: true
  disclosure_timeline_days: 90
  response_sla_days: 3
  scope:
  - target: '*.example.com'
    type: web
  - target: Example Mobile App
    type: mobile
  out_of_scope:
  - Third-party services
  - Staging environments
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  hall_of_fame_url: https://example.com/security/thanks
  preferred_languages: English
  standards:
  - ISO 29147
  description: Short description of the program scope and rules.

Using the Data

Mirror

A mirror of this repo and all data is published to CodeBerg, at: codeberg.org/alicia/bug-bounties

Developer Usage

Start by clone the repo with git clone [email protected]:Lissy93/bug-bounties.git && cd bug-bounties

Data Aggregation
  1. make install - Setup environment and install dependencies (from requirements.txt)
  2. make populate - Fetch the latest directory of programs, format, and write to platform-programs.yml
  3. make validate - Verify and validate platform-programs.yml and independent-programs.yml against the schema.json
  4. make readme - Generate and insert a summarized list of programs into the README.md
Website
  1. cd web to navigate into the web/ directory
  2. npm i to install dependencies
  3. npm run dev to start the development server
  4. npm run build to build the production site
Deployment
  • Option 1) Upload the content of web/dist/ into any web server, static hosting provider or CDN
  • Option 2) Import the project into Vercel or Netlify directly, where it will be automatically deployed
  • Option 3) For Docker, run docker run -p 8080:8080 ghcr.io/lissy93/bug-bounties:latest

Alternatively, all the above tasks can be run directly using GitHub Actions. Simply fork the project, and trigger the workflow(s).

Credits

Sponsors

Huge thanks to the following kind people, for their ongoing support in funding this, and other of my projects via GitHub Sponsors

Sponsors

Contributors

Top Contributors

Attributions

Data Sources
Core Dependencies

License

Lissy93/Bug-Bounties is licensed under MIT © Alicia Sykes 2023 - 2026.For information, see TLDR Legal > MIT

Expand License 
The MIT License (MIT)
Copyright (c) Alicia Sykes <[email protected]> 

Permission is hereby granted, free of charge, to any person obtaining a copy 
of this software and associated documentation files (the "Software"), to deal 
in the Software without restriction, including without limitation the rights 
to use, copy, modify, merge, publish, distribute, sub-license, and/or sell 
copies of the Software, and to permit persons to whom the Software is furnished 
to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included install 
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANT ABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NON INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

© Alicia Sykes 2026 Licensed under MIT Thanks for visiting :)

MCP Server · Populars

MCP Server · New

    Lissy93

    bug-bounties

    ⚔️ A compiled list of companies who have active programs for responsible disclosure. MCP-enabled.

    Community Lissy93
    samvallad33

    Vestige

    Cognitive memory for AI agents — FSRS-6 spaced repetition, 29 brain modules, 3D dashboard, single 22MB Rust binary. MCP server for Claude, Cursor, VS Code, Xcode, JetBrains.

    Community samvallad33
    HarimxChoi

    google-surf-mcp

    ✨Anti-Bot Search MCP: No API Key✨

    Community HarimxChoi
    syncable-dev

    Memtrace

    The missing memory layer for coding agents

    Community syncable-dev
    kunwar-shah

    Claudex

    MCP server with persistent memory + FTS5 search for Claude Code conversation history. Index your ~/.claude/projects/, expose 10 MCP tools, browse via web UI. MIT-licensed.

    Community kunwar-shah