Public Lookup API

Query the BugBountyScam database for a program's scam-report history and reputation score. No authentication required. Responses are cached and safe to call from a browser or server.

Endpoint

GET https://bugbountyscam.com/api/lookup?domain=example.com

Query Parameters

domain — the program domain to look up. Subdomains and case are normalized to the registrable root (e.g. api.Example.com → example.com).
q — optional fuzzy substring search instead of exact domain match.

Reputation Score

Computed from report count and severity mix:

GREEN — no reports, or few/minor only
AMBER — some complaints
RED — multiple serious (critical/high) reports

Example Request

curl "https://bugbountyscam.com/api/lookup?domain=example.com"

Example Response

{
  "query": "example.com",
  "domain": "example.com",
  "count": 3,
  "severity": {
    "critical": 1,
    "high": 1,
    "medium": 1,
    "low": 0
  },
  "reputation": {
    "score": "red",
    "label": "Multiple serious reports",
    "points": 8.5
  },
  "posts": [
    {
      "id": "uXXXXXXXXXXXX",
      "domain": "example.com",
      "title": "No payout after fix",
      "platform": "HackerOne",
      "severity": "critical",
      "scam_type": "no-payout",
      "published_at": "2026-06-01T10:00:00.000Z"
    }
  ]
}

Response Fields

count — number of published reports for the program.
severity — breakdown of reports by severity (critical/high/medium/low).
reputation.score — green, amber, or red.
reputation.label — human-readable summary.
reputation.points — weighted severity score (higher = worse).
posts — array of matching published reports.

Please cache responses and avoid hammering the endpoint. Rate limiting applies. Data is community-submitted; a report is a researcher's account, not a legal finding.

BugBountyScam.com · Contact: admin@bugbountyscam.com