Platforms.disclose.io just added 25 NEW bug bounty and VDP platforms!

1

Help Us Map the Global Bug Bounty Ecosystem

TL;DR: platforms.disclose.io is our community-maintained directory of 80+ bug bounty and VDP platforms worldwide. We just added 25 new platforms, and we need your help to keep it growing.

The bug bounty ecosystem is massive. And weird. And fascinating.

There are platforms in 40+ countries speaking dozens of languages. Platforms that specialize in WordPress plugins. Platforms running $7 million bounties for iPhone exploits. Platforms where researchers compete in real-time smart contract audit competitions. Government-run platforms. Open-source platforms. Platforms that only serve a single country or region.

And until you really dig in, you probably don’t know most of them exist.

The World Beyond the Big Names

Don’t get us wrong - the major platforms are great. But the global bug bounty landscape is so much richer than most people realize.

In Japan, IssueHunt and bugbounty.jp compete for market share with full Japanese language support and local payment infrastructure.

In Russia, after Western sanctions led to platform exits, Standoff 365 and BI.ZONE emerged to serve 20,000+ researchers and host government programs. They’re running bounties up to $680,000.

In Web3, platforms like Cantina, CodeHawks, and CertiK are running competitive smart contract audits where researchers race to find vulnerabilities, with programs managing tens of millions in bounties.

In WordPress security, Patchstack runs the world’s first bug bounty covering all 60,000+ WordPress plugins.

For US government agencies, CISA operates a centralized VDP platform helping federal agencies comply with vulnerability disclosure requirements.

The list goes on: Cyber Army Indonesia, WhiteHub (Vietnam), Cyber3ra (India), PatchDay (South Korea), Butian (China), safehats (India), Teklabspace (Nigeria)…

platforms.disclose.io: Your Community Database

That’s why we maintain platforms.disclose.io - a simple, open-source directory of every bug bounty, VDP, and crowdsourced security platform we can find. Right now we’re tracking 80+ platforms with standardized information:

  • Platform names and URLs

  • Geographic regions

  • Program types (public, private, or both)

  • Leaderboard and program directory links

  • Social media handles

It’s vendor-neutral, community-maintained, and completely open-source.

We Just Added 25 New Platforms

Our latest update includes some really interesting additions:

Web3/Blockchain Security:

  • Cantina (SpearbitDAO’s marketplace, $34M+ in bounties)

  • CodeHawks (Cyfrin’s competitive audits)

  • CertiK (zero-fee model for blockchain projects)

  • Remedy (with ZK-proof duplicate prevention)

  • AuditOne (allocates audit revenue to fund bounties)

  • Hashlock (Australia’s blockchain security leader)

Regional Platforms:

  • Standoff 365 & BI.ZONE (Russia’s major platforms)

  • IssueHunt & bugbounty.jp (Japan)

  • PatchDay (South Korea)

  • Butian (China’s pioneer, since 2013)

  • Cyber3ra (India)

  • BUGLOUD & UAE National Bug Bounty (Middle East)

Specialized Platforms:

  • Patchstack (all 60,000+ WordPress plugins)

  • CISA VDP Platform (US federal agencies)

  • Crowdcurity (European, top 5 rated)

  • Topcoder (security challenges)

  • OWASP BLT/Bugheist (open-source community)

And several others including Gerobug (open-source self-hosted), Hacckers (Israel), and Bug Bounty Box (Africa).

We Need Your Help

This database is only useful if it’s comprehensive and current. Here’s where you come in:

Know a Platform We’re Missing?

We’re especially interested in:

  • Regional platforms serving local markets

  • Emerging platforms in Africa, Latin America, Southeast Asia

  • Specialized platforms (AI security, IoT, specific industries)

  • New Web3 security platforms

  • Self-hosted or open-source solutions

Spot Something Out of Date?

Platform details change constantly:

  • URLs get updated

  • Social handles change

  • Leaderboards launch or move

  • Companies rebrand or merge

If you see outdated info, let us know!

Share It Around

The more people who know about this resource, the better. Share with:

  • Researchers looking for new platforms to explore

  • Organizations evaluating platform options

  • Regional communities discovering local alternatives

  • Anyone interested in the global security ecosystem

How to Contribute

Super simple:

On GitHub:
Fork the repo, update the markdown table, submit a PR. That’s it.

Not a GitHub person?
Drop us a note on Discord, tag us on Twitter @disclose_io, or send an email.

Platform operators:
Want to be listed? We welcome submissions - just make sure you’re a legit bug bounty/VDP/crowdsourced security platform.

Why This Matters

Vulnerability disclosure works best when everyone - researchers, organizations, and platforms - operates with transparency and shared standards. Having a comprehensive, community-maintained directory of where this work happens is part of that transparency.

Whether you’re a researcher looking to diversify where you hunt, an organization trying to understand your options, or just someone fascinated by how global this ecosystem has become, platforms.disclose.io is your starting point.

And it gets better every time someone contributes.

Check it out: platforms.disclose.io

Contribute: GitHub repository

Questions? Join us on Discord or hit us up @disclose_io

Let’s map this thing together.