All systems operational · v2.7.2 GA
GitHub Community
OXware OXware
Documentation Get OXware
Home vCenter Pricing Documentation Marketplace Partners Certification Compliance Status Bug Bounty Privacy GitHub
Bug Bounty Program

Find a vuln. Get paid.
Up to $5,000 per bug.

Over 100 ethical hackers protect OXware in production. Public scope, clear rules, fast triage. Median time-to-bounty is 7 days. We've paid out $42,300 to date.

Submit a vulnerability GitHub Security Advisories
Critical
$1,000 - $5,000
RCE on host, hypervisor escape, auth bypass, panel takeover.
High
$250 - $1,000
Privilege escalation, persistent stored XSS, SSRF to internal.
Medium
$100 - $250
Reflected XSS, IDOR, CSRF on sensitive action, info leak.
Low
$50 - $100
Misconfiguration, missing security header, weak rate limit.

Scope

Test against your own self-hosted OXware install. Do not test against oxware.top SaaS endpoints unless you have written permission.

In scope

  • OXware Hypervisor backend: app.py, blueprints, REST API, runbook executor, federation, CSI, KubeVirt, GitOps modules.
  • OXware panel frontend: oxware/frontend/templates/*, plugin SDK, validators.
  • OXware Confidential VM stack: vTPM, SEV/TDX attestation, Secure Boot wiring.
  • Installer ISO, Debian repo, signed releases on GitHub.
  • OXware vCenter beta + Cloud Backup SaaS (with permission).

Out of scope

  • oxware.top marketing site DoS, rate-limit testing, traffic flooding.
  • Third-party services (Stripe, GitHub, Cloudflare, Discord).
  • Self-XSS, missing SPF/DKIM/DMARC on non-mail domains.
  • Reports generated solely from automated scanner output, no PoC.
  • Vulnerabilities in unsupported OXware versions (older than 2.6).
  • Social engineering of OXware staff or community.
  • Physical attacks on OXware infrastructure.

How to report

Two channels. Pick whichever fits. Both reach the security team within 1 business hour.

GitHub Security Advisories

Preferred. Encrypted via the GitHub channel. Auto-creates a CVE pre-publication draft we can both edit.

Open a private advisory

Email + PGP

For non-GitHub users. Encrypt with our PGP key (fingerprint published in SECURITY.md).

root@oxware.top
Response timeline
Acknowledgement — within 72 hours.
Triage + severity assessment — within 7 days.
Bounty decision communicated — within 14 days.
Patch for critical issues — within 14 days. Public disclosure 90 days after patch ships.

Hall of Fame

Researchers who responsibly disclosed validated vulnerabilities. Listed with consent. Thank you.

Anonymous Researcher
@orange_42
SEC-017 SSRF · Critical
M. Chen
@mchen-sec
SEC-018 argv injection · Critical
K. Volkov
@kvolkov
SEC-019 federation TLS bypass · High
S. Ahmadi
@s-ahmadi
SEC-022 runbook shell allowlist · Medium
J. Park
@jpark-dev
SEC-024 plugin AST bypass · Medium
A. Dubois
@adubois
SEC-027 plugin route hijack · Medium
L. Schmidt
@lschmidt-it
SEC-029 zip slip · High
R. Yilmaz
@ryilmaz-sec
SEC-032 known-hosts · Medium
100+ additional researchers contributed reports that did not qualify for payouts but improved internal hardening. Thank you all.

Safe harbor

OXware will not pursue legal action against researchers who follow the rules in this page. We treat good-faith research as authorized testing.

Read full SECURITY.md