Open source 
Securing open source together: OpenProject bug bounty program – sponsored by the European Commission

Securing open source together: OpenProject bug bounty program – sponsored by the European Commission

Publié par Corinna Günther Temps de lecture estimé: 2 minutes

Open source security is a shared responsibility. OpenProject is proud to take this responsibility seriously. As part of an initiative funded by the European Commission, we at OpenProject have partnered with the YesWeHack bug bounty platform to make our open source project management software even more secure.

Security researchers are invited to test the latest stable version and report any vulnerabilities – with financial rewards for valid reports.

What is the bug bounty about?

OpenProject is currently listed as a public program on YesWeHack. Security researchers can analyze the latest stable release of OpenProject as published on our GitHub repository, and report any findings through the platform.

The program is sponsored by the European Commission, under its initiative to strengthen the digital security of open source tools used by public institutions. It’s part of a broader strategy to foster digital sovereignty and secure open infrastructure in Europe.

Remarque

About YesWeHack: The bug bounty and vulnerability management platform is “built by hackers for hackers”, connecting organizations and ethical hackers worldwide to uncover and patch vulnerabilities. Read more on their website.

Examples of valid vulnerability types include:

  • SQL Injection (SQLi)
  • Cross-site Scripting (XSS)
  • Remote Code Execution (RCE)
  • Privilege Escalation
  • Authentication/Authorization flaws

Full scope and exclusions are listed on the YesWeHack program page.

Quick guide: How to contribute

  1. Create a free YesWeHack account at yeswehack.com.
  2. Join the OpenProject program.
  3. Analyze the latest stable release.
  4. Submit valid vulnerabilities through the platform.
  5. Receive your reward if your report is accepted and in scope.

FAQ

Who can participate?

Anyone with a YesWeHack account and a passion for security can participate. You don’t need to be part of an organization — individual researchers are welcome.

What is in scope?

Only the latest stable OpenProject version is in scope.

What are the reward ranges?

The rewards range from €100 to €5,000, depending on the severity of the vulnerability. Rewards are based on the CVSS severity score and follow a structured grid.

How do I submit a report?

You can submit a report through the YesWeHack platform. Reports must include clear reproduction steps and follow the responsible disclosure policy.

What happens after submission?

Submissions are reviewed by OpenProject and triaged based on impact. Eligible reports will be rewarded and fixed as appropriate.

Join the effort — hack for the public good

Help us make OpenProject even more secure. Whether you’re a seasoned researcher or just starting out, your contributions make a difference.

Explore the OpenProject program on YesWeHack.

Contribuer à OpenProject

Vous souhaitez contribuer à OpenProject ? Rejoignez notre instance communautaire pour partager des idées, demander des fonctionnalités ou signaler des bugs.

Découvrez comment contribuer à notre communauté.
Zone de recherche:

Sujets les plus populaires