FIRST bug bounty program

FIRST encourages security researchers to disclose security vulnerabilities in our services to FIRST in a responsible way. We support independent security research. Security evaluations must:

Please send any issues you identify to bugs@first.org and include "security vulnerability" in the subject line. We appreciate it if you could include the following information:

Please specify if we may publicly credit you on this page.

As a non-profit, we can’t pay out major bounties, but we really appreciate your help in helping safeguard our systems. If we confirm your finding as a vulnerability, we will send you a token of our appreciation.

We also welcome reports of simple bugs with no security impact, and will do our best to address them as soon as possible. However, those reports are not eligible for a token of our appreciation

Hall of fame

2017

2016

Note well