Awesome Bug Bounty

A comprehensive curated list of Bug Bounty Programs and write-ups from the Bug Bounty hunters.

Table of Contents

• Getting Started

• Write Ups & Authors

• Platforms

• Available Programs

• Contribution guide

Getting Started

• How to Become a Successful Bug Bounty Hunter

• Researcher Resources - How to become a Bug Bounty Hunter

• Bug Bounties 101

• The life of a bug bounty hunter

• Awsome list of bugbounty cheatsheets

• Getting Started - Bug Bounty Hunter Methodology

Write Ups & Authors

• sakurity.com/blog - by Egor Homakov

• respectxss.blogspot.in - by Ashar Javed

• labs.detectify.com - by Frans Rosén

• cliffordtrigo.info - by Clifford Trigo

• stephensclafani.com - by Stephen Sclafani

• sasi2103.blogspot.co.il - by Sasi Levi

• pwnsecurity.net - by Shashank

• breaksec.com - by Nir Goldshlager

• pwndizzle.blogspot.in - by Alex Davies

• c0rni3sm.blogspot.in - by yappare

• exploit.co.il/blog - by Shai rod

• ibreak.software - by Riyaz Ahemed Walikar

• panchocosil.blogspot.in - by Francisco Correa

• breakingmesh.blogspot.in - by Sahil Sehgal

• websecresearch.com - by Ajay Singh Negi

• securitylearn.net - by Satish Bommisetty

• secinfinity.net - by Prakash Sharma

• websecuritylog.com - by jitendra jaiswal

• medium.com/@ajdumanhug - by Allan Jay Dumanhug

• Web Hacking 101 - by Peter Yaworski

Platforms

• YesWeHack

• intigriti

• HackerOne

• Bugcrowd

• Cobalt

• Bountysource

• Bounty Factory

• Coder Bounty

• FreedomSponsors

• FOSS Factory

• Synack

• HackenProof

• Detectify

• Bugbountyjp

• Safehats

• BugbountyHQ

• Hackerhive

• Hacktrophy

• AntiHACK

• CESPPA

Available Programs

• 123Contact Form

• 99designs

• Abacus

• Acquia

• ActiveCampaign

• ActiveProspect

• Adobe

• AeroFS

• Airbitz

• Airbnb

• Algolia

• Altervista

• Altroconsumo

• Amara

• Amazon Web Services

• Amazon.com

• ANCILE Solutions Inc.

• Anghami

• ANXBTC

• Apache httpd

• Appcelerator

• Apple

• Apptentive

• Aptible

• Ardour

• Arkane

• ARM mbed

• Asana

• ASP4all

• AT&T

• Atlassian

• Attack-Secure

• Authy

• Automattic

• Avast!

• Avira

• AwardWallet

• Badoo

• Barracuda

• Base

• Basecamp

• Beanstalk

• BillGuard

• Billys Billing

• Binary.com

• Binary.com Cashier

• BitBandit.eu

• Bitcasa

• BitCasino

• BitGo

• BitHealth

• BitHunt

• BitMEX

• Bitoasis

• Bitpagos

• Bitrated

• Bitreserve

• Bitspark

• Bitwage

• BitWall

• BitYes

• BlackBerry

• Blackboard

• Blackphone

• Blesta

• Block.io

• Block.io, Inc.

• Blockchain.info

• BlockScore

• Bookfresh

• Box

• Braintree

• Brussels Airlines

• BTC_sx

• Buffer

• BX.in.th

• C2FO

• Campaign Monitor

• CARD.com

• Catchafire

• Caviar

• CCBill

• CERT/CC

• Certly

• ChainPay

• ChangeTip

• Chargify

• Chromium Project

• Circle

• CircleCI

• Cisco

• ClickUp

• Clojars

• CloudFlare

• Cobalt

• Code Climate

• CodeIgniter

• CodePen

• Coin Republic

• Coin.Space

• Coinage

• Coinbase

• CoinDaddy

• Coinkite

• Coinport

• coins.ph

• Cointrader.net

• Coinvoy

• Collishop

• Colruyt

• Compose

• concrete5

• Constant Contact

• Counterparty

• Coupa

• Coursera

• cPanel

• cPaperless

• Crix.io

• Cross Border Fines

• CrowdShield

• Cryptocat

• Cupcake

• CustomerInsight

• Cylance

• Dato Capital

• Detectify

• De Volkskrant

• Delen Private Bank

• DigitalOcean

• DigitalSellz

• Django

• Doorkeeper

• DoSomething

• DPD

• Dragon King

• Dreambaby

• Dreamland

• Dropbox

• Dropbox Acquisitions

• Drupal

• eBay

• Eclipse

• eHealth Hub VZN KUL

• EMC

• Enano

• Engine Yard

• Envoy

• Eobot

• EthnoHub

• Etsy

• EVE

• Event Espresso

• Everitoken

• Evernote

• EURid

• Expatistan

• ExpressionEngine

• Ezbob

• Facebook

• Faceless

• Factlink

• FanFootage

• FastSlots

• Flash

• Flood

• Flow Dock

• Flox

• Fluxiom

• Fog Creek

• FormAssembly

• Founder Bliss

• Foursquare

• Freelancer

• Gallery

• Gamma

• Gemfury

• General Motors

• GhostMail

• GitHub

• GitLab

• GlassWire

• Gliph

• GlobaLeaks

• Google PRP

• Google VRP

• Grammarly

• Gratipay

• GreenAddress

• Greenhouse.io

• Grok Learning

• HackenProof

• HackerOne

• Harmony

• Heroku

• Hex-Rays

• Hive Wallet

• Hootsuite

• HTC

• Huawei

• Hubdia

• Humble Bundle

• IAM KU Leuven

• Ian Dunn

• IBM

• ICEcoder

• Iconfinder

• Ifixit

• Imgur

• ImpressPages

• Indeed

• Independent Reserve

• Informatica

• IntegraXor

• Internetwache

• InVision

• IRCCloud

• itBit Exchange

• ITRP

• itsme

• joola.io

• Joomla

• JRuby

• jsDelivr

• Juniper

• Kadira

• Kaneva

• Kayako

• Kenna

• Keybase

• Khan Academy

• SKB Kontur

• Kraken

• Kinepolis

• Kuna

• Lancor Income

• LastPass

• LaunchKey

• Lean Testing

• Librato

• LibSass

• Liferay

• Line

• LinkedIn

• LiveEnsure

• LocalBitcoins

• Localize

• Logentries

• Lookout

• Magento

• MAGIX

• Mahara

• MaiCoin

• Mail.Ru

• Mailbird

• MailChimp

• ManageBGL

• ManageWP

• MapLogin

• Marietje Schaake

• Marktplatts

• Mavenlink

• Maximum

• MCProHosting

• MEGA

• Mercury

• Meteor

• meXBT

• Microsoft

• Mimecast

• Mobile Vikings

• Mobile Vikings

• Modus CSR

• MoneyBird

• MoneyStream

• Moodle

• Motorola Solutions

• Mozilla

• mynxt.info

• NCSC

• Nearby Live

• Nest

• Netflix

• Neverdie Smart Contract

• Neverdie Web

• Nexmo

• Nexuzhealth

• Nexuzhealth Web PACS

• Nginx

• Nitrous

• Nokia Networks

• NoPass

• NZRS

• Offensive Security

• ok.ru

• OKCoin

• OkCupid

• Olark

• OneSpan Mobile

• OneSpan Server Products

• Opal Cryptocurrency

• Openfolio

• OpenSSL

• OpenStack

• OpenText

• Opera

• Optimizely

• Oracle

• ownCloud

• PagerDuty

• Panasonic Avionics

• Pantheon

• Panzura

• Paragon Initiative Enterprises

• Paychoice

• PayMill

• PayPal

• Paytm

• Perl

• Phabricator

• PHP

• Pidgin

• PikaPay

• PinoyHackNews

• Pinterest

• Piwik Open Source Analytics

• Plone

• Pocket

• Poloniex

• Postmark

• Prezi

• Projectplace

• PullReview

• Puppet labs

• PureVPN

• Python

• QIWI

• Quadriga CX

• QuickBT

• Quora

• Rackspace

• Rdbhost_service

• Red Hat

• Reddit

• Relaso

• RelateIQ

• Release Wire

• Respondly

• Revive Adserver

• Ribose

• Ripio

• Ripple

• Riskalyze

• Romit

• Ruby

• Ruby on Rails

• Salesforce

• Samsung TV

• Sandbox Escape

• SAP

• Schuberg Philis

• Scorpion Software

• Secret

• Secure Works

• Sellfy

• Sentiance

• ServiceRocket

• ShareLaTeX

• Sherpany

• Shopify

• Sifter

• Silent Circle

• Simple

• SiteGround

• Skoodat

• Skrill

• Skyscanner

• Slack

• Snapchat

• Snappy

• Sonatype

• Sony

• SoundCloud

• Spaargids

• SpectroCoin

• Spendbitcoins

• SplashID

• Splitwise

• Spotify

• Sprout Social

• Square

• Square Open Source

• StatusPage

• StopTheHacker

• Student Assessment System

• Studio 100

• Subledger

• Subrosa

• Sucuri

• Suivo

• Symantec

• Taptalk

• Tarsnap

• TeamUnify

• Tele2

• Telekom

• Telenet

• Test-Aankoop

• The Internet

• The Mastercoin Foundation

• ThisData

• TimeTrex

• ToyTalk

• Trello

• Tuenti

• Tweakers

• Twilio

• Twitch

• Twitter

• Uber

• Ubiquiti Networks

• Unitag

• Urban Dictionary

• Uzbey

• Valve Software

• VeChainThor

• VeChainThor Wallet

• VCE

• Venmo

• Version Cake

• Viadeo

• Vimeo

• VK.com

• Volusion

• VPNSox

• vulners.com

• Vultr

• Webconverger

• Websecurify

• Weebly

• WePay

• Whisper

• WHMCS

• Windthorst ISD

• withinsecurity

• WizeHive

• Woorank

• WordPoints

• Wordware

• WP API

• Xen Project

• Xmarks

• Yahoo

• Yandex

• Yanomo

• Yesware

• Zapier

• Zaption

• ZenCash

• Zendesk

• Zetetic

• Ziggo

• Zimbra

• Zoho

• Zomato

• Zopim

• Zynga

Aggregators

• BountyHQ

License

To the extent possible under law, Dheeraj Joshi has waived all copyright and related or neighboring rights to this work.