No. BugBountyScam is an independent, community-run platform. It is not affiliated with, endorsed by, or connected to HackerOne, Bugcrowd, Intigriti, YesWeHack, Synack, or any other bug bounty platform. We simply publish researchers’ first-hand experiences with programs hosted on them.
Yes. Any company named in a report can contact us at admin@bugbountyscam.com to provide additional information, give their side, or request a review of the content. We may update, annotate, or remove content following that review.
Every submission is manually reviewed before it goes live. We check that it describes a genuine, specific experience, look at any supplied evidence such as screenshots or timelines, and reject entries that are low-effort, abusive, duplicated, or clearly false. Publishing is not guaranteed, and a report being published is not a legal finding of wrongdoing — it is a researcher’s account.
Common cases include: a program patching your reported vulnerability but refusing the bounty (no payout); marking a valid report as a duplicate with no evidence of a prior report (false duplicate); retroactively changing scope to exclude the domain you reported (scope change); not responding for months on an active program (ghosting); or suspending/banning your account after you submitted a valid bug (researcher ban).
When you submit a report you receive a tracking ID. Use the Track page and enter that ID to see whether your report is pending review, published, or rejected. Keep the ID safe — it is the way to follow your submission anonymously.
Yes. Submitting is anonymous — you choose a display handle and are not required to provide your real identity. We do not publish personal identifying information. The whole platform is built to let researchers speak up without exposing who they are.
BugBountyScam.com · Contact: admin@bugbountyscam.com