Bounty: $555$20,000

Synopsis is our main web site. It is our most intricate application with a number of user inputs and access methods. is built on Ruby on Rails and leverages a number of Open Source technologies.

Rewards range from $555 up to $20,000 and are determined at our discretion based on a number of factors. For example, if you find a reflected XSS that is only possible in Opera, and Opera is <2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at >60% of our traffic, will earn a much larger reward.

You can find the app at

Bounty scope

Submit a vulnerability for

Recently collected bounties:

1 asanso 1000 pts Antonio Sanso Creating verified commits for arbitrary emails using web commits
2 jonathanwalker 555 pts Jonathan Walker "Require review from Code Owners" bypass using unverified email addresses
3 Abss0x7tbh 1000 pts Abss CSRF in opting out of organization invites
4 jaksi 1000 pts Kristóf Jakab Extending the scopes of an SSO-authorized personal access token without a SAML session
5 BBerastegui 1000 pts Borja Berastegui Localhost same-site request forgery via GitHub Webhooks