Since 2013, Bugcrowd has maintained “The List” — a directory of public bug bounty and vulnerability disclosure programs. What started out as a crowdsourced blog post, has evolved to become the defacto resource for people looking for bug bounty and vulnerability disclosure programs across the industry, ranked at the top of search engine results.

This week, we’re taking the power of The List and putting it to even better use, rolling out the biggest changes since its inception and accelerating the adoption of good disclosure policies and Safe Harbor for good-faith hackers.

This week:

  • We’ve moved the source database for the list under the Safe Harbor project;
  • Completely open-sourced the database under CC 4.0 for anyone to use or contribute to;
  • Rebuilt the contributor recognition page on to acknowledge and thank those who help add/refine/update the database;
  • Added a column to recognize whether a program has full or partial Safe Harbor language for hackers, and
  • Added program filtering to the page to help good-faith hackers find the programs with the terms most important to them, most quickly!

The List is now Open Source!

The List is and always has been a community tool, and we wanted to take it to the next level. Now, anyone can reuse the list under a CC 4.0 license, and anyone can contribute and update it. Our goal is to spread the information and its value far and wide, increase the frequency of updates, and create a tighter acknowledgement model for those who contribute to keeping it fresh!

The List <3’s

As Safe Harbor gains momentum, we wanted to make it super easy for hackers to find programs with favorable terms, and for companies who are proactive about Safe Harbor to receive the appropriate recognition. The addition of a Safe Harbor field in the database is designed to spark a “treasure-hunt” among hackers, lawyers, and program owners alike — and to trigger a race-to-the-top among program owners to add these important clauses to their vulnerability disclosure terms.

What you can do: Help us fill the blanks and make it even better!

Contributors: Recognizing the contribution of those wanting a safer digital world is core to Bugcrowd, and we’ve revamped the contributor acknowledgement page to publicly recognize everyone who contributes to the open source repo.

Researchers, Vendors, and Academics: The List is now free for you to use under the CC 4.0 open source licencing scheme. Let us know how you’re using it, and post suggestions to the Github repo to help us make it even more valuable and useful to you!

Huge thanks to Jason Haddix, Dan Trauner, David Chou, Amit Elazari, and everyone for their continued support of the initiative.

Want to learn more?

Tomorrow, January 19, Amit Elazari, Kris Johnson, and John Repic will be presenting “Behind the Curtain: Safe Harbor and DoD” at LevelUp0x03, Bugcrowd’s virtual hacking conference for hackers by hackers. Their panel discussion will take place at 9:30 am PT on the YouTube stream.

Check out this, as well as 18 other talks covering a range of topics including API, car and mobile hacking topics and methodologies, CISO of Motorola Richard Rushing’s “What’s in my Toolbox”. The conference takes place from 8:15 am – 4:00 pm on Saturday and will be broadcast over two different streams. Check out the full schedule here.