Open Bug Bounty レビュー 4

While claiming to be a beneficial service, the business model is more or less extortion. They are threatening publication of vulnerability details but they are not offering any useful information on the supposed vulnerability to the owner without paying up for it in advance, buying a pig in a poke. "Vulnerabilities" are mostly trivial and harmless scanning results.

This is not how bug bounties work. They are either offered voluntarily or payed out of gratitude for a meaningful hint on a serious vulnerability.

Recommendation: Ignore the mails, read the details on the supposed vulnerability after publication and then decide whether it is worth of attention. Do not pay for blackmail.

Good platform to showcase your security skills.

This is a good place to showcase your skills as a bug hunter and disclose your vulnerabilities.

Unethical organisation, avoid at all costs!

They hope to find vulnerabilities in your website, so they can email you about it and ask a good amount of money to reveal what that supposed vulnerability is (I was asked no less than 300 EUR!). All while you have never requested or subscribed to their services in any way; they contact you unwarranted asking for money, which is spam - nothing more and nothing less. Do NOT pay any money to them, you don't even know IF there is a vulnerability (or if there is, if it's worth paying for at all), but in the meantime they have your money. And if you contact them but you refuse, then of course you risk them exposing your website's vulnerability or perhaps even abusing it themselves. In addition to spam, this should also be called blackmail.

The platform is unmaintained.
The forum is more and more flooded with spam.
Reports about important security holes like SQL injections are basically rejected. Instead, mostly harmless XSS vulnerabilities are accepted.
Vulnerabilities that have already been patched are not updated even after years.
Since the login change, users can no longer log in and are only told to contact their e-mail provider.
email provider. We cannot help you any further.
Everyone can get an idea of the current state in the forum or on X.
The Facebook page is also dead, last post on december 2022.
Admins are not helping Users with problems within the forum.
They do not support the website operators against pseudo security researchers from OBB who try to blackmail the website operators for horrendous sums of money.
This project needs to be closed before there are really bad security hole releases.