Question 1

What is a bug bounty scam?

Accepted Answer

A bug bounty scam occurs when a company runs a bug bounty program but refuses to pay security researchers for valid vulnerability reports. Common scam tactics include refusing payouts after patching, marking valid reports as false duplicates, retroactively changing scope to exclude reported domains, ghosting researchers with no response, or banning researcher accounts after fixing their reported bugs.

Question 2

What is BugBountyScam.com?

Accepted Answer

BugBountyScam.com is the leading community-driven platform where security researchers report and expose fraudulent bug bounty programs. It serves as a wall of shame for programs on HackerOne, Bugcrowd, Intigriti, YesWeHack, Synack, and self-hosted platforms that scam researchers out of their earned bounties.

Question 3

How do I report a bug bounty scam?

Accepted Answer

Visit BugBountyScam.com and click Submit. Fill in the program domain, platform (HackerOne, Bugcrowd, etc.), bug type, scam type (no payout, false duplicate, scope change, ignored, or ban), severity, and provide evidence including screenshots, email chains, and report IDs. All submissions are reviewed by admins before publishing.

Question 4

Which bug bounty platforms have the most scam reports?

Accepted Answer

Scam reports are filed against programs on all major platforms including HackerOne, Bugcrowd, Intigriti, YesWeHack, Synack, and especially self-hosted bug bounty programs that operate without platform oversight. Self-hosted programs are the most common source of scams due to lack of mediation.

Question 5

How can I check if a bug bounty program is a scam?

Accepted Answer

Use the Lookup feature on BugBountyScam.com to search any domain and see if other researchers have reported scam activity. Check the Wall of Shame leaderboard for the most reported programs. Always screenshot scope pages before submitting reports.

Question 6

What are the most common bug bounty scam types?

Accepted Answer

The most common bug bounty scams are: 1) No Payout - company patches the bug but refuses to pay, 2) False Duplicate - report marked as duplicate with no proof, 3) Scope Change - program retroactively changes scope to exclude the reported domain, 4) Ghosting - no response for months despite active program, 5) Ban/Retaliation - researcher account banned after submitting a valid report.

Question 7

Is bug bounty hunting safe?

Accepted Answer

Bug bounty hunting can be safe when working with reputable programs, but researchers should always protect themselves by documenting everything, screenshotting scope pages, using archive.org snapshots, and checking BugBountyScam.com before investing time in a program.

Scam Alert: opensea.io — OpenSea – Unanswered XSS Vulnerability Report via Profile Picture Upload

Bug Bounty Scam — Expose Fraudulent Bug Bounty Programs | Report Scams on HackerOne, Bugcrowd, Intigriti, YesWeHack

SCAM REPORTS (0)

REPORT A SCAM

Program

Incident

Your Info

Get in Touch

⌕ Program Lookup

☠ Wall of Shame

◈ Scam Analytics

⧖ Track Report

✎ Blog

☆ Weekly Digest

☻ Chat

Join Community Chat