About Us

What is BountyGraph?

BountyGraph facilitates bug bounties and security audits for free and open-source software dependencies. Our goal is to strongly incentivize security research into software that has traditionally lacked the funding for a dedicated security budget, but that must be secure. We want to ensure that immediately reporting and fixing vulnerabilities is the most financially attractive option for security researchers.

How does BountyGraph work?

BountyGraph offers two major services: crowdfunded bug bounties and crowdfunded security audits. Once a software project has signed up for BountyGraph, it can begin accepting pledges for either of these services on its program page.

For bug bounties, vulnerabilities are reported to programs either through the BountyGraph ticket system or via email. Once a vulnerability has been fixed and a corresponding patch released, funding organizations are added to the ticket and given an opportunity to pay bounties to both the hacker and the software project.

For professional security audits, BountyGraph first receives a price quote from an established security consulting firm. The terms and planned deliverables of the audit are made public. Once funds have been raised, the audit occurs, and the results are privately shared with the project maintainers. Once a patch is available, the final report and any other deliverables are released publicly.

Funding FAQ

How does BountyGraph improve the security posture of my organization?

It is likely that most of the software running in your production environment was not written in-house. Operating systems, network stacks, web frameworks, web servers, databases, and several other key software components are only occasionally written by the organizations that depend on their security.

Despite the critical importance of this software, private bug bounty programs don't handle bugs in software dependencies gracefully. For example, if a hacker finds a vulnerability in a popular web server, it is unclear how that hacker can ethically resolve the bug while still earning the large bounty they deserve.

BountyGraph aims to solve this problem through crowdfunding. As a project gets more popular, the bug bounties get bigger, and the incentives of private industry and hackers become more aligned.

How do I help fund a bug bounty or professional audit on BountyGraph?

You can start by finding a project you're interested in supporting on the programs page. From there, you can click "Fund Program" to specify the details of your pledge.

Is my pledge publicly visible?

Pledges can be made public or private. Public pledges are displayed on the program's page alongside your logo and organization name. Public pledges are also visible on the funders page.

How and when am I charged?

Pledges are charged only when it is time to pay out a bounty. We process all payments through Stripe. By default, we charge via a credit or debit card. However, if you would like to fund your pledge in a different way, we can likely accommodate your requirements; please reach out to support@bountygraph.com.

Project FAQ

Why should my project join BountyGraph?

Free and open-source software projects join BountyGraph when they believe that a bug bounty program or professional security audit can improve their security, but when they don't have the funding to make it happen on their own.

We don't have the human resources to run a bug bounty program. Can we still use BountyGraph?

We want to make bug bounty programs accessible to projects of varying sizes. If you choose to use the BountyGraph ticketing system to manage submissions, you can opt-in to have us triage out any clearly invalid reports at no cost, which will dramatically improve the quality of submissions you receive and reduce the volume of notifications.

With that said, if you don't feel like you have the resources to quickly patch valid vulnerabilities reported through BountyGraph, running a bug bounty program may not be a good idea. As our business grows, we are looking into ways we can solve this issue by leveraging our own development resources.

Can I crowdfund a professional security audit without running a bug bounty program?

Yes. This is a good option if you don't have the available bandwidth to resolve valid reports in a timely manner.

I am a maintainer of a project. Can I submit a bug I found for a bounty?

Yes, but whether or not you receive a bounty for your submission is decided by the organizations funding bounties for your project.

Does BountyGraph cost money?

BountyGraph is free for projects and hackers. We make money by taking a 15% cut of bounties and audits funded through our platform.

Do maintainers get paid for fixing vulnerabilities?

When paying out bounties, funding organizations are given the opportunity to reward the project as well as the hacker.

I don't want new vulnerability reports to touch BountyGraph's servers. Can I still reward valid submissions?

Yes. Programs can opt to receive reports by email instead of through our ticketing system. In order to pay a bounty for an email submission, project maintainers must send the reporter a secret link to use after the bug has been fixed. There, the reporter can fill in the report for a bug that has already been fixed and still receive a bounty.

How do I pay out a bounty as a project maintainer?

First, ensure that the vulnerability is fixed and that a patch has been submitted upstream.

If you accept reports via the BountyGraph ticketing system: mark the report as "Fixed" and assign a severity. Then click "Submit for Bounty" at the bottom of the report page. From there, we will notify the funding organizations for your program after ensuring that the patch has been publicly release and that the report meets our bounty guidelines.

If you accept reports via email: once the bug is fixed, send the hacker your secret report submission link from the program settings page. From there, the hacker can submit the (now resolved) report and complete the bounty payout process as though the report originated in the BountyGraph ticketing system.

I maintain a project. How do I join BountyGraph?

Please reach out to us at support@bountygraph.com.

General FAQ

How does BountyGraph make money?

We charge a 15% transaction fee on each bounty or audit funded through our platform.

What are the ethical considerations of BountyGraph?

We want to earn the trust of projects, hackers, and funding organizations alike, and it is important to us that no one can "buy" early access to information about an unpatched vulnerability. Our goal is to improve the security posture of the organizations on our platform by encouraging the early discovery of vulnerabilities and the quick release of high quality patches. We want our policies to reflect that.

We only look at vulnerability reports when either 1. the vulnerability has been patched, and we're issuing a bounty, or 2. the project maintainers have opted in to our triaging service to filter out bogus reports.

Further, to make our motivations clear, we allow organizations to receive vulnerability reports at an email address we don't control.

Who runs BountyGraph?

BountyGraph was created by Max Justicz and Steven Valdez.

What if I have another question?

Please contact us at support@bountygraph.com.