Porkbun wants to stamp out any bugs we haven't yet found, and we need the help of the security community to do it. If you find a security vulnerability on Porkbun, we want to hear about it, ASAP.
BE PATIENT: We will assess and process your submission as quickly as possible. Depending on the nature of the vulnerability and available development time it may take up to 30 days for us to fix it and make payment to you.
Porkbun has adopted Bugcrowd’s Vulnerability Rating Taxonomy (VRT) for the purpose of prioritizing and paying out on reported bugs. We currently payout for P1 through P4 vulnerabilities.
Download VRT PDF
|Other||Please note, while we appreciate the submission we currently cannot payout on low priority vulnerabilities. We would be happy to comment on or recommend you via a recognized bug bounty / security website however.|
Confidentiality is important. Do not disclose any nature of any vulnerability to others, before and after disclosure to us. Any vulnerabilities not kept confidential will not qualify for payment.
Please email your vulnerability, along with supporting documentation, to email@example.com.
The subject line should be in the form of "Bug Bounty: [PRIORITY LEVEL]". For example: "Bug Bounty: P2".
Include your PayPal address where you'd like to receive payment. Your report must include a Proof of Concept (PoC) and reference the Specific Vulnerability Name as idenfied in the VRT mentioned above. Please include as much detailed information as possible such as screenshots, steps to reproduce, etc.
- The decisions made by Porkbun regarding bounties are final and binding.
- Don’t commit any crimes or engage in illegal activity.
- You’re solely responsible for paying taxes on rewards as appropriate in your jurisdiction.
- Don’t mislead, abuse, or in any way engage with Porkbun customers. Use test accounts if you need to simulate an interaction.
- A phishing scheme is probably not a vulnerability, don't make one.
- Do not use Denial of Service attacks, scrape the site, or otherwise stress the site to find a vulnerability.
- Don’t harm anyone, by any definition of the word “harm.”
- Anonymous submissions are not allowed. To receive a payment, you must agree to us confirming your identity.
- We may ask you to sign a W-9 tax form or other similar form required by the IRS.
- By submitting the vulnerability, you assign full intellectual property of the report to Porkbun and relinquish any copyright to the report itself.
- If you reside in a country under US sanctions, unfortunately we will be unable to make payment to you.