Bug Bounty Program Finder

Bug Bounty Program Finder is a bug bounty scraper, vulnerability disclosure program finder, and security.txt scraper for security researchers, AppSec teams, OSINT analysts, sales teams, and cybersecurity vendors.

At a glance: input examples, output examples, use cases, limitations, troubleshooting, and pricing/cost guidance are included below for small discovery checks and larger security-program exports.

Use it to discover public bug bounty programs, VDPs, responsible disclosure pages, security contact emails, reward ranges, safe harbor signals, and program URLs across HackerOne, Bugcrowd, Intigriti, YesWeHack, disclose.io, Open Bug Bounty, HackenProof, security.txt files, and public security policy pages.

What You Can Do

• Find public bug bounty and VDP programs by keyword, company, industry, or domain.
• Check specific domains for security.txt files and public disclosure policy pages.
• Export normalized program records for CRM, research, attack surface management, or monitoring workflows.
• Filter by program type, bounty amount, safe harbor signals, and changed records.
• Optionally enrich in-scope domains with passive DNS lookups.

Best For

• Security researchers looking for public bounty opportunities and responsible disclosure contacts.
• AppSec and vulnerability management teams building a list of disclosure programs for vendors, partners, or assets.
• OSINT analysts researching security policy pages, security.txt files, and public reporting channels.
• Cybersecurity sales and marketing teams building lead lists of companies with active security programs.
• Bug bounty platforms, consultancies, and managed security providers tracking program coverage.

Supported Public Sources

The Actor searches public directories and public web pages. Supported sources include HackerOne, Bugcrowd, Intigriti, YesWeHack, disclose.io, Open Bug Bounty, HackenProof, Yandex bug bounty listings, security.txt files, and generic public security policy pages.

What Data You Get

Output examples, dataset fields, limitations, troubleshooting, and pricing guidance are included below so you can evaluate the data before running larger exports.

Each dataset item can include:

• Program and company name
• Hosting platform or discovery source
• Program URL, policy URL, submission URL, and source URL
• Program type: bug bounty, VDP, security.txt, security policy, or unknown
• Minimum and maximum bounty when visible
• Currency and reward summary
• Safe harbor signal and safe harbor URL when detected
• Contact email or security.txt URL when available
• In-scope assets and optional DNS enrichment
• Tags, opportunity score, content hash, first seen date, last seen date, and change status

Simple Input

Most users only need a keyword and a result limit:

{
  "query": "fintech",
  "maxItems": 100
}

To check specific domains:

{
  "domainOrUrl": "https://github.com/security",
  "maxItems": 50
}

startDomains and startUrls are still supported for older API integrations. New Console users can use the Domains or URLs dropdown.

Good starter keywords include fintech, crypto, cloud, SaaS, API, mobile, healthcare, banking, company names, and domain names.

Automatic Defaults

The Actor keeps setup simple by default:

• It searches all supported public sources.
• It visits detail pages when useful for richer scope, reward, submission, and safe harbor data.
• It includes paid bug bounty programs, VDPs, security.txt records, and public security policy pages.
• It does not run optional DNS enrichment unless an existing integration explicitly enables it.
• It keeps older advanced input fields working for API users, but new users do not need to configure them.

Output Examples

{
  "programName": "Example Security Program",
  "companyName": "Example",
  "platform": "HackerOne",
  "programType": "bug_bounty",
  "programUrl": "https://hackerone.com/example",
  "policyUrl": "https://example.com/security",
  "submissionUrl": "https://hackerone.com/example/reports/new",
  "sourceUrl": "https://hackerone.com/example",
  "isPublic": true,
  "requiresLogin": false,
  "bountyMax": 5000,
  "currency": "USD",
  "rewardSummary": "Up to $5,000",
  "safeHarbor": true,
  "contactEmail": "security@example.com",
  "tags": ["public", "paid", "safe-harbor"],
  "opportunityScore": 70,
  "changeStatus": "new",
  "firstSeenAt": "2026-06-16T08:00:00.000Z",
  "lastSeenAt": "2026-06-16T08:00:00.000Z",
  "scrapedAt": "2026-06-16T08:00:00.000Z"
}

Running On Apify

1. Open the Actor in Apify Console.
2. Enter a keyword, domains, or both.
3. Set maxItems to the number of records you need.
4. Start the run.

Results are streamed to the default Apify Dataset during the run, so partial results remain useful if a long run is stopped or times out.

Exporting Results

Open the run dataset and export results as JSON, CSV, Excel, XML, RSS, or HTML from Apify Console. For automation, use the Apify API client:

from apify_client import ApifyClient

client = ApifyClient("YOUR_APIFY_TOKEN")

run = client.actor("thescrapelab/bug-bounty-program-finder").call(run_input={
    "query": "cloud",
    "maxItems": 100,
})

for item in client.dataset(run["defaultDatasetId"]).iterate_items():
    print(item["programName"], item.get("programUrl"))

Limitations And Caveats

• The Actor only collects public programs and public policy pages. It does not access invite-only or private programs.
• Some sources may change page structure, block requests, or temporarily return fewer records.
• Detail extraction depends on what each program publicly displays.
• safeHarbor means safe harbor language was detected; always review the linked policy before testing.
• Very broad high-volume runs can take longer because the Actor politely checks multiple public sources.

Troubleshooting

• No results: try a broader keyword or add one or more domains.
• Few domain results: not every domain publishes security.txt or a public disclosure policy.
• Missing rewards: many VDPs do not publish bounty amounts.
• Slow run: reduce maxItems or use a more specific keyword.
• Duplicate-looking records: the Actor deduplicates by normalized name and URL, but some companies operate separate programs on different platforms.

Pricing Guidance

The Actor is optimized for low compute usage with HTTP scraping rather than browser automation. Small test runs are designed to stay cheap, and larger exports scale mainly with the number of public sources and detail pages checked. A simple pay-per-result model is recommended for Store monetization because each dataset item maps directly to user value.

For the clearest customer experience, charge per collected program record and keep Apify platform usage visible or included according to your Store pricing setup. Very broad runs should use a sensible maxItems limit so customers can control cost.

FAQ

Can I scrape HackerOne and Bugcrowd bug bounty programs?

Yes. Select hackerone, bugcrowd, or keep the default all source selection.

Can I find security.txt contacts?

Yes. Add domains or URLs with startUrls; the Actor checks security.txt and public policy pages automatically.

Can I find vulnerability disclosure programs for specific domains?

Yes. Add domains or URLs with startUrls; the Actor checks security.txt and generic public policy pages automatically.

Does this include private bug bounty programs?

No. It only collects public programs and public policy pages.

Can I monitor new or updated programs?

Yes. The Actor stores content hashes and marks records as new, updated, or unchanged across runs using the same default key-value store.

Is it safe to use results for vulnerability testing?

Use the output as a discovery aid only. Always read the linked program policy, scope, and safe harbor text before testing.

What keywords should I try?

Common searches include fintech, crypto, cloud, SaaS, API, mobile, company names, and domain names.

Can I export bug bounty leads to CSV or Excel?

Yes. Open the Apify Dataset after the run and export the results as CSV, Excel, JSON, XML, RSS, HTML, or through the Apify API.