Bug Bounty Finder: 22-Field Intel from HackerOne & Bugcrowd

22 fields per program. 3 platforms in 1 run. $0.00399 per record. 100-record free trial. Find every public bug bounty and VDP program in seconds. Queries HackerOne directory, Bugcrowd engagements, and /.well-known/security.txt files in parallel.

What does bug bounty finder do?

The bug bounty finder is a real-time, lightweight recon utility that searches and aggregates public vulnerability disclosure programs and responsible disclosure contacts across multiple platforms. It queries HackerOne, Bugcrowd, and standardized security.txt files in a single unified run. Returns a completely flat, spreadsheet-friendly dataset with 22 fields per row: min and max bounty, currency, resolved report count, policy snippet, security.txt contact, encryption URL, expiration date, and more.

Running on the Apify platform gives you rotatable proxies to bypass anti-bot blocks, scheduled automated scanning, real-time Slack and webhook integrations, and a warm standby HTTP API server for instantaneous queries.

Why use bug bounty finder?

This actor is ideal for cybersecurity professionals, penetration testers, security researchers, and enterprise threat intelligence teams:

• Lead generation: Instantly find high-paying bug bounty programs and active security policies.
• Asset discovery: Map target brand terms and find their legal responsible disclosure pathways.
• Vulnerability disclosure compliance: Automatically locate security contacts (via security.txt) for responsible reporting, preventing risky public disclosures.
• Tabular exports: Download raw data directly into clean Excel, CSV, or Google Sheets layouts without complex JSON manipulation.

How to use bug bounty finder?

To run this scraper:

1. Input a target query (such as a brand keyword like uber or a full domain like google.com).
2. Select which security platforms you want to query (HackerOne, Bugcrowd, and/or standard security.txt).
3. Set your maximum limits and enable Apify Proxy to ensure continuous scanning.
4. Run the Actor and download your flat dataset directly in your preferred file format.

Input parameters

The input parameters are simple and grouped into clear, non-technical sections:

Field name	Type	Required	Default	Description
query	string	Yes	uber	The keyword, brand name, or domain name to search for.
platforms	array	Yes	["hackerone", "bugcrowd", "security_txt"]	The list of bug bounty databases or standard paths to search.
onlyWithBounty	boolean	Yes	false	If set to true, only programs offering monetary rewards are saved.
maxItems	integer	Yes	100	The maximum number of records to retrieve during the run.
proxyConfiguration	object	Yes	{"useApifyProxy": true}	Enables proxy network routing to bypass rate limiting.

Output dataset structure

Every result is written to the dataset using a completely flat, spreadsheet-friendly database layout. Nested JSON objects and lists have been fully removed.

Example program result

{
  "record_type": "program",
  "query": "uber",
  "platform": "hackerone",
  "program_name": "Uber",
  "url": "https://hackerone.com/uber",
  "min_bounty": 100,
  "max_bounty": 15000,
  "currency": "USD",
  "offers_bounties": true,
  "resolved_reports": 2450,
  "policy_snippet": "Uber's official vulnerability disclosure program on HackerOne.",
  "engagement_type": "public",
  "scraped_at": "2026-06-20T10:00:00.000Z"
}

Example security contact result

{
  "record_type": "security_txt",
  "query": "uber",
  "domain": "uber.com",
  "contact": "mailto:security@uber.com, https://uber.com/security",
  "policy_url": "https://uber.com/legal/security-policy",
  "encryption_key": "https://uber.com/pgp-key.asc",
  "hiring_url": "https://uber.com/careers",
  "acknowledgments_url": "https://uber.com/security/hall-of-fame",
  "expires_at": "Thu, 31 Dec 2026 23:59:59 GMT",
  "raw_text": "Contact: mailto:security@uber.com\nPolicy: https://uber.com/legal/security-policy",
  "scraped_at": "2026-06-20T10:01:00.000Z"
}

Mapped data fields

The output dataset includes these clear, un-nested columns:

Column name	Data type	Description
record_type	string	The category of record, which can be a program, security_txt, or summary.
query	string	The search query that triggered this finding.
domain	string	The target domain name (specific to security.txt).
platform	string	The source directory (hackerone, bugcrowd, or security_txt).
program_name	string	The official title of the vulnerability disclosure program.
url	string	The direct link to the program's policy details page.
min_bounty	number	The minimum cash reward paid out by the program (in USD).
max_bounty	number	The maximum cash reward paid out by the program (in USD).
currency	string	The payment currency, defaulting to USD.
offers_bounties	boolean	True if the program offers monetary rewards.
resolved_reports	number	The total count of resolved reports within the directory.
policy_snippet	string	A short preview of the program guidelines.
engagement_type	string	Indicates whether the program is public or private.
contact	string	A comma-separated list of parsed contact paths from security.txt.
policy_url	string	The link to the target's vulnerability disclosure policy.
encryption_key	string	The link to the target's public PGP/encryption key.
hiring_url	string	The link to the target's security jobs page.
acknowledgments_url	string	The link to the target's hall of fame or credit page.
expires_at	string	The expiration date of the security.txt file.
scraped_at	string	The exact timestamp when this information was extracted.

Pricing and cost estimation

How much does it cost to find bug bounty programs?

• This Actor is priced at a competitive flat rate of $3.99 per 1,000 results (equivalent to just $0.00399 per row of data).
• Because the Actor runs 100% browser-less, it consumes minimal compute and memory. A typical run of 100 results on a 512 MB container completes in less than 3 seconds, resulting in nearly zero platform platform overhead fees.

Tips and optimization

• Keyword selection: For broad results across directory platforms, use general brand terms (such as meta or microsoft).
• Domain queries: If you specifically want to parse security.txt files, input a full domain name (such as github.com) to query standard security paths directly.
• Limit your runs: Use the maxItems setting to control your cost and restrict data sizes to what is necessary.

Support, disclaimers, and feedback

This tool aggregates publicly accessible disclosure directories and open-standard security.txt endpoints. It does not perform active vulnerability scanning or exploit attempts. It strictly queries standard directories and public paths.

For bug reports, feature requests, or questions, please navigate to the Issues tab on the Apify platform. Custom scraping setups and custom database integrations are also available upon request.