BountiesAlert
Submit a report

Coordinated Vulnerability Disclosure

Find the flaw.
Report it. Get paid.

BountiesAlert connects security researchers with organizations that want their vulnerabilities found responsibly. Published scope, defined rewards, and safe harbor on every program.

Browse Programs How it works
0
Active Programs
0h
Typical Response
$0
To Start — No Account

From discovery to reward in four steps

No paperwork, no account, no friction. Just a clear path from finding to payout.

01

Pick a program

Browse active programs. Every program publishes its scope, rules, and reward range up front — no guesswork.

02

Find & document

Test in scope, then write a clear report: affected asset, reproduction steps, and real-world impact.

03

Submit securely

Send your report through the program form. No account required — just your email for follow-up.

04

Get triaged & rewarded

Our team validates, communicates status, and pays out based on the published severity tiers.

What researchers hunt for

Programs reward findings across the full severity spectrum. Here is what typically lands the highest bounties.

critical

Remote Code Execution

Arbitrary command or code execution on a target system.

critical

SQL & NoSQL Injection

Injection flaws that expose or corrupt backend data stores.

high

Broken Access Control

IDOR, privilege escalation, and missing authorization checks.

high

Authentication Bypass

Logic flaws that defeat login, MFA, or session handling.

high

Server-Side Request Forgery

Coercing the server into making unintended requests.

medium

Cross-Site Scripting

Stored, reflected, and DOM-based script injection.

medium

Cross-Site Request Forgery

Forcing authenticated users into unintended actions.

low

Information Disclosure

Leaked secrets, stack traces, or sensitive metadata.

Built on researcher trust

The things that make a disclosure program worth your time — guaranteed up front.

Safe harbor

Good-faith research conducted within scope will not be met with legal action. Test with confidence.

Transparent scope

Every program lists exactly what is in and out of scope, so you always know what is fair game before you test.

Defined response times

Each program commits to a response window. You always know when to expect an update.

Tiered rewards

Bounties map to severity. Critical findings earn the most, and the bands are published in advance.

Active programs

Pick a target and start hunting.

View all
active

Ssexch

ssexch.io

$250–$12000 0 reports
active

Softexpert

softexpert.com

$100–$5000 0 reports
active

Pandasecurity

pandasecurity.com

$150–$6000 0 reports
active

Webfx

webfx.com

$100–$10000 0 reports

From the blog

Guidance on writing better reports and disclosing responsibly.

All articles
Researchers

The anatomy of a great vulnerability report

A clear report gets triaged faster and paid sooner. Here is the structure our team rewards.

2026-05-28 6 min read
Disclosure

Scope is a contract, not a suggestion

Why staying in scope protects both researchers and programs — and how BountiesAlert keeps scope honest.

2026-05-14 4 min read
Disclosure

Coordinated disclosure, explained

What "responsible" actually means, and the timeline that keeps everyone safe.

2026-04-30 5 min read

Ready to start hunting?

Every program publishes its scope, rules, and rewards. No account needed — just find, report, and get paid.

Browse Programs Read the policy