Purpose
The ProjectDiscovery OSS Bounty Program exists to democratize security by rewarding meaningful contributions from the global community.
Our tools are used by researchers, defenders, and builders worldwide. This program ensures that anyone, anywhere, can contribute to improving ProjectDiscovery projects and be fairly recognized or rewarded for their work.
We aim to:
- Lower the barrier to participation in security research and development
- Incentivize high-impact open-source contributions
- Foster a transparent, fair, and collabrative community
- Improve the security ecosystem for everyone
Scope
In-Scope Projects
- The program applies to official ProjectDiscovery open-source repositories, including but not limited to:
- Nuclei
- Katana
- Subfinder
- Httpx
- Naabu
- ShuffleDNS
- DNSx
- TLSx
- Vulnx
- URLFinder
- any other repositories explicitly labeled as bounty.
- Projects must be publicly available
- Issues or tasks eligibile for bounties will be clearly labeled (e.g.,
bounty)
Out-of-Scope Projects
- Third-party dependencies
- Forks or unofficial repositories
Who Can Participate
- Anyone worldwide may participate
- Contributors must be legally able to receive rewards
- ProjectDiscovery employees and core maintainers may contribute but are not eligible for monetary rewards
The program is open, inclusive, and global.
Eligible Contributions
Only work explicitly marked or approved qualifies.
Eligible:
- Bug fixes for confirmed issues
- Performance improvements
- Feature implementations (request by maintainers)
- Documentation or testing improvements with meaningful impact
- Tooling & infrastructure enhancements
Not Eligible:
- Unapproved or unsolicited features
- Duplicate submissions
- Trivial or low-quality changes
- Known or already-reported security issues
- Any unethical, fraudulent, or abusive behavior
Reward Structure
Monetary Bounties
- Fixed or variable rewards depending on impact
- Amounts are disclosed upfront or clearly stated
Non-Monetary Rewards
- Public recognition (release notes)
- ProjectDiscovery swag
How to Participate
- Find a
bountylabeled issue - Announce intent by commenting on the issue
- Work in public, following contribution guidelines
- 1 active issue per contributor at a time
- Complete within 2 weeks of claiming
- Submit a PR clearly linked to the issue
- Address review feedback
- Get merged
- Claim reward via provided instructions
First complete, high-quality submission wins the bounty.
Review & Evaluation
All submissions are reviewed by ProjectDiscovery maintainers.
Evaluation criteria:
- Correctness and completeness
- Code quality and tests
- Adherence to project standards
- Alignment with bounty scope
Security & Responsible Disclosure
- Never disclose vulnerabilities publicly
- Report security issues privately via security@projectdiscovery.io
- Follow coordinated disclosure timeline
- No exploitation, data access, or service distruption
Payments & Legal
- Payments are typically processed within a reasonable timeframe after approval
- Contributors are responsible for taxes and legal compliance
- Contributions are licensed under the project’s existing open-source license
- No employment or contractor relationship is created
Code of Conduct
All participants must:
- Act ethically and respectfully
- Avoid harassment, spam, or manipulation
- Respect maintainers’ decisions
- Keep discussions transparent and public
Violations may result in disqualification or bans.
Program Changes
ProjectDiscovery may modify or end the program at any time.
- Changes will be announced publicly
- In-progress accepted work will be honored whenever possible
Contact
Why This Matters
Security should be democratized.
This programs exists to:
- Democratize security; build a healthier, more accessible security ecosystem
- Empower independent researchers
- Reward real-world impact
- Strengthen open-source security tooling.
If you believe in open source security for everyone, we welcome you.
Happy Hacking!