Bug Bounty Program

We at OffSec regularly conduct vulnerability research and are proponents of coordinated disclosure. Although we make every effort to secure our presence on the Internet, there are inevitably issues that escape our notice and for those individuals that find vulnerabilities in our sites before we do, we have implemented the OffSec Bug Bounty program.

Qualifying vulnerabilities that are found in our sites and reported to us are eligible for a reward based on the category they fall into, based on severity. All reward amounts are paid in US dollars and payment is made via PayPal or bank wire transfer only. Reflected / DOM based XSS vulnerabilities, post authentication issues, file path disclosures, directory listings, CSRF, version disclosures and other similar issues are NOT covered by our bounty program. We of course, reserve the right to refuse any application.

The following table provides several bug classes and their corresponding bounty. While not all bug classes are covered by this list, you may get a sense of severity vs. reward by examining the following examples.

Bug Bounty Rewards

$200 Reward

  • Local File Disclosure
  • Configuration File Exposure

$500 Reward

  • Persistent XSS
  • SQL Injection
  • Local File Inclusion

$1000 Reward

  • Remote File Inclusion
  • Remote Code Execution

Vulnerabilities that are reported to us remain the property of the researcher and will not be claimed by OffSec. If the vulnerability exists in a third-party component used on one of our sites, OffSec will contact the relevant authors of the component with the vulnerability details, in order to have the issue fixed.

OffSec maintains a number of sites and a vulnerability reported in one site is considered to be reported for all sites, meaning that a researcher cannot claim a bounty for the same vulnerability across multiple sites. The domains that we maintain that are eligible for the Bug Bounty are listed here. Note that our sub-domains are included as well (i.e. docs.kali.org, etc.).

Vulnerability researchers are requested to submit their finds via security at offensive-security.com with all pertinent details along with the steps needed to reproduce the finding.

The OffSec Bug Bounty program does not give free license to attack any of our Internet sites and abuse will lead to connections/accounts being blocked and/or disabled. Abuse of our systems (such as polluting our forums or bugtrackers) will be grounds for immediate disqualification from any bounties.

For more information, please read about our Bug Bounty Program Insights blog post.

Friends of OffSec

  • MaXe
  • Abhineet Jayaraj
  • Olivier Beg
  • Rafay Baloch
  • Andrea Santese
  • Alexandr Bastrakov
  • Victor Shaw
  • Nassim Asrir
  • Zeeshan
  • Divya Mudgal
  • Anas Zrari
  • Nathu Nandwani
  • Hamidjon
  • D. Salvo
  • Deepankar Arora
  • Nipun Jaswal
  • Christy Philip Mathew
  • Prakhar Prasad
  • Michael R. Heinzl
  • Paulos Yibelo
  • mobaid95
  • İSMAİL TAŞDELEN
  • Syed Sohaib Karim
  • Josip Franjković
  • Mohammed Israil
  • Jeevan Singh
  • ManhNho
  • Mazen Gamal Mesbah
  • Abiral Shrestha
  • Deepankar Arora
  • Nipun Jaswal
  • Christy Philip Mathew
  • Prakhar Prasad
  • Michael R. Heinzl
  • Paulos Yibelo
  • İSMAİL TAŞDELEN
  • Syed Sohaib Karim
  • Josip Franjković
  • Mohammed Israil
  • JATIN JAIN
  • ManhNho
  • Abiral Shrestha
  • Valeriy Shevchenko
  • Noor Mohammad Gagguturi
  • kr1shna4garwal
  • Dhiraj Mishra