# Bug Bounty Program Finder (`thescrapelab/bug-bounty-program-finder`) Actor
Find public bug bounty programs, vulnerability disclosure programs, security.txt contacts, rewards, scope, safe harbor notes, and disclosure policy URLs.
- **URL**: https://apify.com/thescrapelab/bug-bounty-program-finder.md
- **Developed by:** [Inus Grobler](https://apify.com/thescrapelab) (community)
- **Categories:** Developer tools, Lead generation, Automation
- **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, 0 bookmarks
- **User rating**: No ratings yet
## Pricing
from $0.25 / 1,000 results
This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events.
Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event
## What's an Apify Actor?
Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases.
In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours,
and optionally produces a well-defined JSON output, datasets with results, or files in key-value store.
In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server.
Actors are written with capital "A".
## How to integrate an Actor?
If asked about integration, you help developers integrate Actors into their projects.
You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready.
The best way to integrate Actors is as follows.
In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md):
```bash
npm install apify-client
```
In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md):
```bash
pip install apify-client
```
In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md):
````bash
# MacOS / Linux
curl -fsSL https://apify.com/install-cli.sh | bash
# Windows
irm https://apify.com/install-cli.ps1 | iex
```bash
In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md).
If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md).
For usage examples, see the [API](#api) section below.
For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt).
# README
## Bug Bounty Program Finder
Bug Bounty Program Finder is a bug bounty scraper, vulnerability disclosure program finder, and security.txt scraper for security researchers, AppSec teams, OSINT analysts, sales teams, and cybersecurity vendors.
At a glance: input examples, output examples, use cases, limitations, troubleshooting, and pricing/cost guidance are included below for small discovery checks and larger security-program exports.
Use it to discover public bug bounty programs, VDPs, responsible disclosure pages, security contact emails, reward ranges, safe harbor signals, and program URLs across HackerOne, Bugcrowd, Intigriti, YesWeHack, disclose.io, Open Bug Bounty, HackenProof, security.txt files, and public security policy pages.
### What You Can Do
- Find public bug bounty and VDP programs by keyword, company, industry, or domain.
- Check specific domains for security.txt files and public disclosure policy pages.
- Export normalized program records for CRM, research, attack surface management, or monitoring workflows.
- Filter by program type, bounty amount, safe harbor signals, and changed records.
- Optionally enrich in-scope domains with passive DNS lookups.
### Best For
- Security researchers looking for public bounty opportunities and responsible disclosure contacts.
- AppSec and vulnerability management teams building a list of disclosure programs for vendors, partners, or assets.
- OSINT analysts researching security policy pages, security.txt files, and public reporting channels.
- Cybersecurity sales and marketing teams building lead lists of companies with active security programs.
- Bug bounty platforms, consultancies, and managed security providers tracking program coverage.
### Supported Public Sources
The Actor searches public directories and public web pages. Supported sources include HackerOne, Bugcrowd, Intigriti, YesWeHack, disclose.io, Open Bug Bounty, HackenProof, Yandex bug bounty listings, security.txt files, and generic public security policy pages.
### What Data You Get
Output examples, dataset fields, limitations, troubleshooting, and pricing guidance are included below so you can evaluate the data before running larger exports.
Each dataset item can include:
- Program and company name
- Hosting platform or discovery source
- Program URL, policy URL, submission URL, and source URL
- Program type: bug bounty, VDP, security.txt, security policy, or unknown
- Minimum and maximum bounty when visible
- Currency and reward summary
- Safe harbor signal and safe harbor URL when detected
- Contact email or security.txt URL when available
- In-scope assets and optional DNS enrichment
- Tags, opportunity score, content hash, first seen date, last seen date, and change status
### Simple Input
Most users only need a keyword and a result limit:
```json
{
"query": "fintech",
"maxItems": 100
}
````
To check specific domains:
```json
{
"domainOrUrl": "https://github.com/security",
"maxItems": 50
}
```
`startDomains` and `startUrls` are still supported for older API integrations. New Console users can use the `Domains or URLs` dropdown.
Good starter keywords include `fintech`, `crypto`, `cloud`, `SaaS`, `API`, `mobile`, `healthcare`, `banking`, company names, and domain names.
### Automatic Defaults
The Actor keeps setup simple by default:
- It searches all supported public sources.
- It visits detail pages when useful for richer scope, reward, submission, and safe harbor data.
- It includes paid bug bounty programs, VDPs, security.txt records, and public security policy pages.
- It does not run optional DNS enrichment unless an existing integration explicitly enables it.
- It keeps older advanced input fields working for API users, but new users do not need to configure them.
### Output Examples
```json
{
"programName": "Example Security Program",
"companyName": "Example",
"platform": "HackerOne",
"programType": "bug_bounty",
"programUrl": "https://hackerone.com/example",
"policyUrl": "https://example.com/security",
"submissionUrl": "https://hackerone.com/example/reports/new",
"sourceUrl": "https://hackerone.com/example",
"isPublic": true,
"requiresLogin": false,
"bountyMax": 5000,
"currency": "USD",
"rewardSummary": "Up to $5,000",
"safeHarbor": true,
"contactEmail": "security@example.com",
"tags": ["public", "paid", "safe-harbor"],
"opportunityScore": 70,
"changeStatus": "new",
"firstSeenAt": "2026-06-16T08:00:00.000Z",
"lastSeenAt": "2026-06-16T08:00:00.000Z",
"scrapedAt": "2026-06-16T08:00:00.000Z"
}
```
### Running On Apify
1. Open the Actor in Apify Console.
2. Enter a keyword, domains, or both.
3. Set `maxItems` to the number of records you need.
4. Start the run.
Results are streamed to the default Apify Dataset during the run, so partial results remain useful if a long run is stopped or times out.
### Exporting Results
Open the run dataset and export results as JSON, CSV, Excel, XML, RSS, or HTML from Apify Console. For automation, use the Apify API client:
```python
from apify_client import ApifyClient
client = ApifyClient("YOUR_APIFY_TOKEN")
run = client.actor("thescrapelab/bug-bounty-program-finder").call(run_input={
"query": "cloud",
"maxItems": 100,
})
for item in client.dataset(run["defaultDatasetId"]).iterate_items():
print(item["programName"], item.get("programUrl"))
```
### Limitations And Caveats
- The Actor only collects public programs and public policy pages. It does not access invite-only or private programs.
- Some sources may change page structure, block requests, or temporarily return fewer records.
- Detail extraction depends on what each program publicly displays.
- `safeHarbor` means safe harbor language was detected; always review the linked policy before testing.
- Very broad high-volume runs can take longer because the Actor politely checks multiple public sources.
### Troubleshooting
- No results: try a broader keyword or add one or more domains.
- Few domain results: not every domain publishes security.txt or a public disclosure policy.
- Missing rewards: many VDPs do not publish bounty amounts.
- Slow run: reduce `maxItems` or use a more specific keyword.
- Duplicate-looking records: the Actor deduplicates by normalized name and URL, but some companies operate separate programs on different platforms.
### Pricing Guidance
The Actor is optimized for low compute usage with HTTP scraping rather than browser automation. Small test runs are designed to stay cheap, and larger exports scale mainly with the number of public sources and detail pages checked. A simple pay-per-result model is recommended for Store monetization because each dataset item maps directly to user value.
For the clearest customer experience, charge per collected program record and keep Apify platform usage visible or included according to your Store pricing setup. Very broad runs should use a sensible `maxItems` limit so customers can control cost.
### FAQ
#### Can I scrape HackerOne and Bugcrowd bug bounty programs?
Yes. Select `hackerone`, `bugcrowd`, or keep the default `all` source selection.
#### Can I find security.txt contacts?
Yes. Add domains or URLs with `startUrls`; the Actor checks security.txt and public policy pages automatically.
#### Can I find vulnerability disclosure programs for specific domains?
Yes. Add domains or URLs with `startUrls`; the Actor checks security.txt and generic public policy pages automatically.
#### Does this include private bug bounty programs?
No. It only collects public programs and public policy pages.
#### Can I monitor new or updated programs?
Yes. The Actor stores content hashes and marks records as `new`, `updated`, or `unchanged` across runs using the same default key-value store.
#### Is it safe to use results for vulnerability testing?
Use the output as a discovery aid only. Always read the linked program policy, scope, and safe harbor text before testing.
#### What keywords should I try?
Common searches include `fintech`, `crypto`, `cloud`, `SaaS`, `API`, `mobile`, company names, and domain names.
#### Can I export bug bounty leads to CSV or Excel?
Yes. Open the Apify Dataset after the run and export the results as CSV, Excel, JSON, XML, RSS, HTML, or through the Apify API.
# Actor input Schema
## `query` (type: `string`):
Optional search term for finding public bug bounty programs and vulnerability disclosure programs. Use a company name, domain, industry, or topic such as fintech, cloud, crypto, SaaS, or API.
## `domainOrUrl` (type: `string`):
Optional preset domain or security page to check directly. Leave blank to search by keyword only.
## `startUrls` (type: `array`):
Backward-compatible API field for custom domains or URLs to check directly for security.txt files, security pages, and public disclosure policy pages.
## `startDomains` (type: `array,string`):
Legacy field for direct domain checks. You can use this or the Domains or URLs field above.
## `sources` (type: `array`):
Choose where to search for bug bounty programs, VDPs, security.txt contacts, and policy pages. Keep the default to search every supported public source.
## `maxItems` (type: `integer`):
Maximum number of program records to collect. Use a small limit for testing and a larger limit for full exports.
## `includeDetails` (type: `boolean`):
Visit individual program pages to extract richer scope, reward, submission, and safe harbor details. Turn off for cheaper directory-only runs.
## `programType` (type: `string`):
Optionally keep only one type of result.
## `minBounty` (type: `integer`):
Only include programs with a known maximum reward at or above this amount. Set 0 for no reward filter.
## `includeNoRewardPrograms` (type: `boolean`):
Include vulnerability disclosure programs and policy pages that do not publish a monetary reward.
## `safeHarborOnly` (type: `boolean`):
Only return programs where safe harbor language was detected.
## `enrichAssets` (type: `boolean`):
Passively resolve IPs, CNAMEs, and TXT records for in-scope domains. This can make runs slower and should only be enabled when you need DNS context.
## `changedSince` (type: `string`):
Optional ISO date. When combined with a previous run, only return programs first seen or updated since this date.
## Actor input object example
```json
{
"query": "fintech",
"domainOrUrl": "https://github.com/security",
"startUrls": [
{
"url": "https://github.com/security"
}
],
"sources": [
"all"
],
"maxItems": 100,
"includeDetails": true,
"programType": "all",
"minBounty": 0,
"includeNoRewardPrograms": true,
"safeHarborOnly": false,
"enrichAssets": false,
"changedSince": "2026-01-01"
}
```
# Actor output Schema
## `programs` (type: `string`):
Structured public bug bounty, VDP, security.txt, and security policy records in the default Dataset.
## `runSummary` (type: `string`):
Run summary with result counts, source counts, duplicate count, and source-level errors.
# API
You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup.
## JavaScript example
```javascript
import { ApifyClient } from 'apify-client';
// Initialize the ApifyClient with your Apify API token
// Replace the '' with your token
const client = new ApifyClient({
token: '',
});
// Prepare Actor input
const input = {
"query": "security",
"startUrls": [
{
"url": "https://github.com/security"
}
]
};
// Run the Actor and wait for it to finish
const run = await client.actor("thescrapelab/bug-bounty-program-finder").call(input);
// Fetch and print Actor results from the run's dataset (if any)
console.log('Results from dataset');
console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`);
const { items } = await client.dataset(run.defaultDatasetId).listItems();
items.forEach((item) => {
console.dir(item);
});
// 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs
```
## Python example
```python
from apify_client import ApifyClient
# Initialize the ApifyClient with your Apify API token
# Replace '' with your token.
client = ApifyClient("")
# Prepare the Actor input
run_input = {
"query": "security",
"startUrls": [{ "url": "https://github.com/security" }],
}
# Run the Actor and wait for it to finish
run = client.actor("thescrapelab/bug-bounty-program-finder").call(run_input=run_input)
# Fetch and print Actor results from the run's dataset (if there are any)
print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"])
for item in client.dataset(run["defaultDatasetId"]).iterate_items():
print(item)
# 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start
```
## CLI example
```bash
echo '{
"query": "security",
"startUrls": [
{
"url": "https://github.com/security"
}
]
}' |
apify call thescrapelab/bug-bounty-program-finder --silent --output-dataset
```
## MCP server setup
```json
{
"mcpServers": {
"apify": {
"command": "npx",
"args": [
"mcp-remote",
"https://mcp.apify.com/?tools=thescrapelab/bug-bounty-program-finder",
"--header",
"Authorization: Bearer "
]
}
}
}
```
## OpenAPI specification
```json
{
"openapi": "3.0.1",
"info": {
"title": "Bug Bounty Program Finder",
"description": "Find public bug bounty programs, vulnerability disclosure programs, security.txt contacts, rewards, scope, safe harbor notes, and disclosure policy URLs.",
"version": "1.0",
"x-build-id": "FjxNKcF1TQb42LVHZ"
},
"servers": [
{
"url": "https://api.apify.com/v2"
}
],
"paths": {
"/acts/thescrapelab~bug-bounty-program-finder/run-sync-get-dataset-items": {
"post": {
"operationId": "run-sync-get-dataset-items-thescrapelab-bug-bounty-program-finder",
"x-openai-isConsequential": false,
"summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.",
"tags": [
"Run Actor"
],
"requestBody": {
"required": true,
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/inputSchema"
}
}
}
},
"parameters": [
{
"name": "token",
"in": "query",
"required": true,
"schema": {
"type": "string"
},
"description": "Enter your Apify token here"
}
],
"responses": {
"200": {
"description": "OK"
}
}
}
},
"/acts/thescrapelab~bug-bounty-program-finder/runs": {
"post": {
"operationId": "runs-sync-thescrapelab-bug-bounty-program-finder",
"x-openai-isConsequential": false,
"summary": "Executes an Actor and returns information about the initiated run in response.",
"tags": [
"Run Actor"
],
"requestBody": {
"required": true,
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/inputSchema"
}
}
}
},
"parameters": [
{
"name": "token",
"in": "query",
"required": true,
"schema": {
"type": "string"
},
"description": "Enter your Apify token here"
}
],
"responses": {
"200": {
"description": "OK",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/runsResponseSchema"
}
}
}
}
}
}
},
"/acts/thescrapelab~bug-bounty-program-finder/run-sync": {
"post": {
"operationId": "run-sync-thescrapelab-bug-bounty-program-finder",
"x-openai-isConsequential": false,
"summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.",
"tags": [
"Run Actor"
],
"requestBody": {
"required": true,
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/inputSchema"
}
}
}
},
"parameters": [
{
"name": "token",
"in": "query",
"required": true,
"schema": {
"type": "string"
},
"description": "Enter your Apify token here"
}
],
"responses": {
"200": {
"description": "OK"
}
}
}
}
},
"components": {
"schemas": {
"inputSchema": {
"type": "object",
"properties": {
"query": {
"title": "Keyword, company, or industry",
"type": "string",
"description": "Optional search term for finding public bug bounty programs and vulnerability disclosure programs. Use a company name, domain, industry, or topic such as fintech, cloud, crypto, SaaS, or API."
},
"domainOrUrl": {
"title": "Domains or URLs",
"enum": [
"",
"https://github.com/security",
"https://stripe.com/security",
"https://hackerone.com/directory/programs",
"https://bugcrowd.com/programs",
"https://yandex.com/bugbounty/"
],
"type": "string",
"description": "Optional preset domain or security page to check directly. Leave blank to search by keyword only.",
"default": ""
},
"startDomains": {
"title": "Domains to check (legacy)",
"description": "Legacy field for direct domain checks. You can use this or the Domains or URLs field above."
},
"sources": {
"title": "Sources to search",
"type": "array",
"description": "Choose where to search for bug bounty programs, VDPs, security.txt contacts, and policy pages. Keep the default to search every supported public source.",
"items": {
"type": "string"
},
"default": [
"all"
]
},
"maxItems": {
"title": "Maximum results",
"minimum": 1,
"maximum": 5000,
"type": "integer",
"description": "Maximum number of program records to collect. Use a small limit for testing and a larger limit for full exports.",
"default": 100
},
"includeDetails": {
"title": "Include detail pages",
"type": "boolean",
"description": "Visit individual program pages to extract richer scope, reward, submission, and safe harbor details. Turn off for cheaper directory-only runs.",
"default": true
},
"programType": {
"title": "Program type filter",
"type": "string",
"description": "Optionally keep only one type of result.",
"default": "all"
},
"minBounty": {
"title": "Minimum visible reward (USD)",
"minimum": 0,
"type": "integer",
"description": "Only include programs with a known maximum reward at or above this amount. Set 0 for no reward filter.",
"default": 0
},
"includeNoRewardPrograms": {
"title": "Include no-reward VDPs",
"type": "boolean",
"description": "Include vulnerability disclosure programs and policy pages that do not publish a monetary reward.",
"default": true
},
"safeHarborOnly": {
"title": "Safe harbor only",
"type": "boolean",
"description": "Only return programs where safe harbor language was detected.",
"default": false
},
"enrichAssets": {
"title": "Enrich in-scope assets with DNS",
"type": "boolean",
"description": "Passively resolve IPs, CNAMEs, and TXT records for in-scope domains. This can make runs slower and should only be enabled when you need DNS context.",
"default": false
},
"changedSince": {
"title": "Changed since",
"type": "string",
"description": "Optional ISO date. When combined with a previous run, only return programs first seen or updated since this date."
}
}
},
"runsResponseSchema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"actId": {
"type": "string"
},
"userId": {
"type": "string"
},
"startedAt": {
"type": "string",
"format": "date-time",
"example": "2025-01-08T00:00:00.000Z"
},
"finishedAt": {
"type": "string",
"format": "date-time",
"example": "2025-01-08T00:00:00.000Z"
},
"status": {
"type": "string",
"example": "READY"
},
"meta": {
"type": "object",
"properties": {
"origin": {
"type": "string",
"example": "API"
},
"userAgent": {
"type": "string"
}
}
},
"stats": {
"type": "object",
"properties": {
"inputBodyLen": {
"type": "integer",
"example": 2000
},
"rebootCount": {
"type": "integer",
"example": 0
},
"restartCount": {
"type": "integer",
"example": 0
},
"resurrectCount": {
"type": "integer",
"example": 0
},
"computeUnits": {
"type": "integer",
"example": 0
}
}
},
"options": {
"type": "object",
"properties": {
"build": {
"type": "string",
"example": "latest"
},
"timeoutSecs": {
"type": "integer",
"example": 300
},
"memoryMbytes": {
"type": "integer",
"example": 1024
},
"diskMbytes": {
"type": "integer",
"example": 2048
}
}
},
"buildId": {
"type": "string"
},
"defaultKeyValueStoreId": {
"type": "string"
},
"defaultDatasetId": {
"type": "string"
},
"defaultRequestQueueId": {
"type": "string"
},
"buildNumber": {
"type": "string",
"example": "1.0.0"
},
"containerUrl": {
"type": "string"
},
"usage": {
"type": "object",
"properties": {
"ACTOR_COMPUTE_UNITS": {
"type": "integer",
"example": 0
},
"DATASET_READS": {
"type": "integer",
"example": 0
},
"DATASET_WRITES": {
"type": "integer",
"example": 0
},
"KEY_VALUE_STORE_READS": {
"type": "integer",
"example": 0
},
"KEY_VALUE_STORE_WRITES": {
"type": "integer",
"example": 1
},
"KEY_VALUE_STORE_LISTS": {
"type": "integer",
"example": 0
},
"REQUEST_QUEUE_READS": {
"type": "integer",
"example": 0
},
"REQUEST_QUEUE_WRITES": {
"type": "integer",
"example": 0
},
"DATA_TRANSFER_INTERNAL_GBYTES": {
"type": "integer",
"example": 0
},
"DATA_TRANSFER_EXTERNAL_GBYTES": {
"type": "integer",
"example": 0
},
"PROXY_RESIDENTIAL_TRANSFER_GBYTES": {
"type": "integer",
"example": 0
},
"PROXY_SERPS": {
"type": "integer",
"example": 0
}
}
},
"usageTotalUsd": {
"type": "number",
"example": 0.00005
},
"usageUsd": {
"type": "object",
"properties": {
"ACTOR_COMPUTE_UNITS": {
"type": "integer",
"example": 0
},
"DATASET_READS": {
"type": "integer",
"example": 0
},
"DATASET_WRITES": {
"type": "integer",
"example": 0
},
"KEY_VALUE_STORE_READS": {
"type": "integer",
"example": 0
},
"KEY_VALUE_STORE_WRITES": {
"type": "number",
"example": 0.00005
},
"KEY_VALUE_STORE_LISTS": {
"type": "integer",
"example": 0
},
"REQUEST_QUEUE_READS": {
"type": "integer",
"example": 0
},
"REQUEST_QUEUE_WRITES": {
"type": "integer",
"example": 0
},
"DATA_TRANSFER_INTERNAL_GBYTES": {
"type": "integer",
"example": 0
},
"DATA_TRANSFER_EXTERNAL_GBYTES": {
"type": "integer",
"example": 0
},
"PROXY_RESIDENTIAL_TRANSFER_GBYTES": {
"type": "integer",
"example": 0
},
"PROXY_SERPS": {
"type": "integer",
"example": 0
}
}
}
}
}
}
}
}
}
}
```