people in casino with a hackerone sign
Bug Bounty

The Internet Bug Bounty

The IBB is a crowdfunded bug bounty program that rewards security researchers and maintainers for uncovering and remediating vulnerabilities in the open-source software that supports the internet.

Open Source Security Advocates

Who can participate

The IBB is open to any bug bounty customer on the HackerOne platform. Any organization that depends on the use of open source, or even depends on third-party vendors who may rely heavily on open source, benefits from expanding the scope of their bounty funds to cover vulnerabilities discovered and remediated in open source.


Why participate

Software supply chain security management is inherently complex, and solving this issue has left the industry scrambling for an answer. One of the best solutions to defend against threats facing the software supply chain is to work together to protect these key dependencies. Just as open-source software is enhanced through the community, the community should help to secure it—and the Internet Bug Bounty program was built to facilitate that joint effort.

Program Mission

Secure Our Shared Software Components

Incentivize security research into open source and software supply chain dependencies.

By Pooling Defenses

Enable beneficiaries of open source to contribute to our collective security equitably.

From Discovery to Remediation

Provide financial support to security researchers and the maintainers of open source, who often volunteer their talent.

How does it work?

The IBB program operates in a pooled defense model, where every participating program’s bounty allocation is pooled to create the public bounty table for the IBB.

Step 1

Contribute 10% (suggested) of your normal bounty budget, or any amount that fits your program model, through your individual IBB Bounty Table (further instructions listed below).

Step 2

HackerOne will deduct from your existing bounty budget automatically as CVEs are fixed.

Step 3

HackerOne will add all bounties for each eligible vulnerability, providing 80% to the finder and 20% to the open-source project, funding essential remediation efforts.