Bug Bounty Program
We at OffSec regularly conduct vulnerability research and are proponents of coordinated disclosure. Although we make every effort to secure our presence on the Internet, there are inevitably issues that escape our notice and for those individuals that find vulnerabilities in our sites before we do, we have implemented the OffSec Bug Bounty program.
Qualifying vulnerabilities that are found in our sites and reported to us are eligible for a reward based on the category they fall into, based on severity. All reward amounts are paid in US dollars and payment is made via PayPal or bank wire transfer only. Reflected/DOM based XSS vulnerabilities, post authentication issues, file path disclosures, directory listings, CSRF, version disclosures and other similar issues are NOT covered by our bounty program. We reserve the right to refuse any application.
Bug Bounty Rewards
The following table provides several bug classes and their corresponding bounty. While not all bug classes are covered by this list, you may get a sense of severity vs. reward by examining the following examples:
$200 Reward
- Local File Disclosure
- Configuration File Exposure
$500 Reward
- Persistent XSS
- SQL Injection
- Local File Inclusion
$1,000 Reward
- Remote File Inclusion
- Remote Code Execution
Vulnerabilities that are reported to us remain the property of the researcher and will not be claimed by OffSec. If the vulnerability exists in a third-party component used on one of our sites, OffSec will contact the relevant authors of the component with the vulnerability details, in order to have the issue fixed.
OffSec maintains a number of sites and a vulnerability reported in one site is considered to be reported for all sites, meaning that a researcher cannot claim a bounty for the same vulnerability across multiple sites. The domains that we maintain that are eligible for the Bug Bounty are listed here. Note that our sub-domains are included as well (i.e. docs.kali.org, etc.).
Vulnerability researchers are requested to submit their finds via security at offensive-security.com with all pertinent details along with the steps needed to reproduce the finding.
The OffSec Bug Bounty program does not give free license to attack any of our Internet sites and abuse will lead to connections/accounts being blocked and/or disabled. Abuse of our systems (such as polluting our forums or bugtrackers) will be grounds for immediate disqualification from any bounties. For more information, please read about our Bug Bounty Program Insights blog post.