Awesome Bug Bounty

A comprehensive curated list of Bug Bounty Programs and write-ups from the Bug Bounty hunters.

Table of Contents

• Getting Started

• Write Ups & Authors

• Platforms

• Available Programs

• Contribution guide

Getting Started

• How to Become a Successful Bug Bounty Hunter

• Researcher Resources - How to become a Bug Bounty Hunter

• Bug Bounties 101

• The life of a bug bounty hunter

• Awsome list of bugbounty cheatsheets

• Getting Started - Bug Bounty Hunter Methodology

Write Ups & Authors

• sakurity.com/blog - by Egor Homakov
• respectxss.blogspot.in - by Ashar Javed
• labs.detectify.com - by Frans Rosén
• cliffordtrigo.info - by Clifford Trigo
• stephensclafani.com - by Stephen Sclafani
• sasi2103.blogspot.co.il - by Sasi Levi
• pwnsecurity.net - by Shashank
• breaksec.com - by Nir Goldshlager
• pwndizzle.blogspot.in - by Alex Davies
• c0rni3sm.blogspot.in - by yappare
• exploit.co.il/blog - by Shai rod
• ibreak.software - by Riyaz Ahemed Walikar
• panchocosil.blogspot.in - by Francisco Correa
• breakingmesh.blogspot.in - by Sahil Sehgal
• websecresearch.com - by Ajay Singh Negi
• securitylearn.net - by Satish Bommisetty
• secinfinity.net - by Prakash Sharma
• websecuritylog.com - by jitendra jaiswal
• medium.com/@ajdumanhug - by Allan Jay Dumanhug
• Web Hacking 101 - by Peter Yaworski

Platforms

• YesWeHack
• intigriti
• HackerOne
• Bugcrowd
• Cobalt
• Bountysource
• Bounty Factory
• Coder Bounty
• FreedomSponsors
• FOSS Factory
• Synack
• HackenProof
• Detectify
• Bugbountyjp
• Safehats
• BugbountyHQ
• Hackerhive
• Hacktrophy
• AntiHACK
• CESPPA

Available Programs

• 123Contact Form
• 99designs
• Abacus
• Acquia
• ActiveCampaign
• ActiveProspect
• Adobe
• AeroFS
• Airbitz
• Airbnb
• Algolia
• Altervista
• Altroconsumo
• Amara
• Amazon Web Services
• Amazon.com
• ANCILE Solutions Inc.
• Anghami
• ANXBTC
• Apache httpd
• Appcelerator
• Apple
• Apptentive
• Aptible
• Ardour
• Arkane
• ARM mbed
• Asana
• ASP4all
• AT&T
• Atlassian
• Attack-Secure
• Authy
• Automattic
• Avast!
• Avira
• AwardWallet
• Badoo
• Barracuda
• Base
• Basecamp
• Beanstalk
• BillGuard
• Billys Billing
• Binary.com
• Binary.com Cashier
• BitBandit.eu
• Bitcasa
• BitCasino
• BitGo
• BitHealth
• BitHunt
• BitMEX
• Bitoasis
• Bitpagos
• Bitrated
• Bitreserve
• Bitspark
• Bitwage
• BitWall
• BitYes
• BlackBerry
• Blackboard
• Blackphone
• Blesta
• Block.io
• Block.io, Inc.
• Blockchain.info
• BlockScore
• Bookfresh
• Box
• Braintree
• Brussels Airlines
• BTC_sx
• Buffer
• BX.in.th
• C2FO
• Campaign Monitor
• CARD.com
• Catchafire
• Caviar
• CCBill
• CERT/CC
• Certly
• ChainPay
• ChangeTip
• Chargify
• Chromium Project
• Circle
• CircleCI
• Cisco
• ClickUp
• Clojars
• CloudFlare
• Cobalt
• Code Climate
• CodeIgniter
• CodePen
• Coin Republic
• Coin.Space
• Coinage
• Coinbase
• CoinDaddy
• Coinkite
• Coinport
• coins.ph
• Cointrader.net
• Coinvoy
• Collishop
• Colruyt
• Compose
• concrete5
• Constant Contact
• Counterparty
• Coupa
• Coursera
• cPanel
• cPaperless
• Crix.io
• Cross Border Fines
• CrowdShield
• Cryptocat
• Cupcake
• CustomerInsight
• Cylance
• Dato Capital
• Detectify
• De Volkskrant
• Delen Private Bank
• DigitalOcean
• DigitalSellz
• Django
• Doorkeeper
• DoSomething
• DPD
• Dragon King
• Dreambaby
• Dreamland
• Dropbox
• Dropbox Acquisitions
• Drupal
• eBay
• Eclipse
• eHealth Hub VZN KUL
• EMC
• Enano
• Engine Yard
• Envoy
• Eobot
• EthnoHub
• Etsy
• EVE
• Event Espresso
• Everitoken
• Evernote
• EURid
• Expatistan
• ExpressionEngine
• Ezbob
• Facebook
• Faceless
• Factlink
• FanFootage
• FastSlots
• Flash
• Flood
• Flow Dock
• Flox
• Fluxiom
• Fog Creek
• FormAssembly
• Founder Bliss
• Foursquare
• Freelancer
• Gallery
• Gamma
• Gemfury
• General Motors
• GhostMail
• GitHub
• GitLab
• GlassWire
• Gliph
• GlobaLeaks
• Google PRP
• Google VRP
• Grammarly
• Gratipay
• GreenAddress
• Greenhouse.io
• Grok Learning
• HackenProof
• HackerOne
• Harmony
• Heroku
• Hex-Rays
• Hive Wallet
• Hootsuite
• HTC
• Huawei
• Hubdia
• Humble Bundle
• IAM KU Leuven
• Ian Dunn
• IBM
• ICEcoder
• Iconfinder
• Ifixit
• Imgur
• ImpressPages
• Indeed
• Independent Reserve
• Informatica
• IntegraXor
• Internetwache
• InVision
• IRCCloud
• itBit Exchange
• ITRP
• itsme
• joola.io
• Joomla
• JRuby
• jsDelivr
• Juniper
• Kadira
• Kaneva
• Kayako
• Kenna
• Keybase
• Khan Academy
• SKB Kontur
• Kraken
• Kinepolis
• Kuna
• Lancor Income
• LastPass
• LaunchKey
• Lean Testing
• Librato
• LibSass
• Liferay
• Line
• LinkedIn
• LiveEnsure
• LocalBitcoins
• Localize
• Logentries
• Lookout
• Magento
• MAGIX
• Mahara
• MaiCoin
• Mail.Ru
• Mailbird
• MailChimp
• ManageBGL
• ManageWP
• MapLogin
• Marietje Schaake
• Marktplatts
• Mavenlink
• Maximum
• MCProHosting
• MEGA
• Mercury
• Meteor
• meXBT
• Microsoft
• Mimecast
• Mobile Vikings
• Mobile Vikings
• Modus CSR
• MoneyBird
• MoneyStream
• Moodle
• Motorola Solutions
• Mozilla
• mynxt.info
• NCSC
• Nearby Live
• Nest
• Netflix
• Neverdie Smart Contract
• Neverdie Web
• Nexmo
• Nexuzhealth
• Nexuzhealth Web PACS
• Nginx
• Nitrous
• Nokia Networks
• NoPass
• NZRS
• Offensive Security
• ok.ru
• OKCoin
• OkCupid
• Olark
• OneSpan Mobile
• OneSpan Server Products
• Opal Cryptocurrency
• Openfolio
• OpenSSL
• OpenStack
• OpenText
• Opera
• Optimizely
• Oracle
• ownCloud
• PagerDuty
• Panasonic Avionics
• Pantheon
• Panzura
• Paragon Initiative Enterprises
• Paychoice
• PayMill
• PayPal
• Paytm
• Perl
• Phabricator
• PHP
• Pidgin
• PikaPay
• PinoyHackNews
• Pinterest
• Piwik Open Source Analytics
• Plone
• Pocket
• Poloniex
• Postmark
• Prezi
• Projectplace
• PullReview
• Puppet labs
• PureVPN
• Python
• QIWI
• Quadriga CX
• QuickBT
• Quora
• Rackspace
• Rdbhost_service
• Red Hat
• Reddit
• Relaso
• RelateIQ
• Release Wire
• Respondly
• Revive Adserver
• Ribose
• Ripio
• Ripple
• Riskalyze
• Romit
• Ruby
• Ruby on Rails
• Salesforce
• Samsung TV
• Sandbox Escape
• SAP
• Schuberg Philis
• Scorpion Software
• Secret
• Secure Works
• Sellfy
• Sentiance
• ServiceRocket
• ShareLaTeX
• Sherpany
• Shopify
• Sifter
• Silent Circle
• Simple
• SiteGround
• Skoodat
• Skrill
• Skyscanner
• Slack
• Snapchat
• Snappy
• Sonatype
• Sony
• SoundCloud
• Spaargids
• SpectroCoin
• Spendbitcoins
• SplashID
• Splitwise
• Spotify
• Sprout Social
• Square
• Square Open Source
• StatusPage
• StopTheHacker
• Student Assessment System
• Studio 100
• Subledger
• Subrosa
• Sucuri
• Suivo
• Symantec
• Taptalk
• Tarsnap
• TeamUnify
• Tele2
• Telekom
• Telenet
• Test-Aankoop
• The Internet
• The Mastercoin Foundation
• ThisData
• TimeTrex
• ToyTalk
• Trello
• Tuenti
• Tweakers
• Twilio
• Twitch
• Twitter
• Uber
• Ubiquiti Networks
• Unitag
• Urban Dictionary
• Uzbey
• Valve Software
• VeChainThor
• VeChainThor Wallet
• VCE
• Venmo
• Version Cake
• Viadeo
• Vimeo
• VK.com
• Volusion
• VPNSox
• vulners.com
• Vultr
• Webconverger
• Websecurify
• Weebly
• WePay
• Whisper
• WHMCS
• Windthorst ISD
• withinsecurity
• WizeHive
• Woorank
• WordPoints
• Wordware
• WP API
• Xen Project
• Xmarks
• Yahoo
• Yandex
• Yanomo
• Yesware
• Zapier
• Zaption
• ZenCash
• Zendesk
• Zetetic
• Ziggo
• Zimbra
• Zoho
• Zomato
• Zopim
• Zynga

Aggregators

• BountyHQ

License

To the extent possible under law, Dheeraj Joshi has waived all copyright and related or neighboring rights to this work.