FIRST Bug Bounty Program

Also available as PDF (169Kb)

FIRST encourages security researchers to disclose security vulnerabilities in our services to FIRST in a responsible way. We support independent security research. Security evaluations must:

Please send any issues you identify to bugs@first.org. We appreciate it if you could include the following information:

Please specify if we may publicly credit you on this page. In case you need to send any sensitive information, please encrypt the message using the bug bounty PGP key.

As a non-profit, we can’t pay out major bounties, but we really appreciate your help in helping safeguard our systems. If we confirm your finding as a vulnerability, we will send you a token of our appreciation.

We also welcome reports of simple bugs with no security impact, and will do our best to address them as soon as possible. However, those reports are not eligible for a token of our appreciation.

Hall of fame

2020

2019

2018

2017

2016

Note well