Bug Bounty

Outbrain is The Leading Recommendation Platform for the Open Web. We connect users to their interests and help them explore the internet.

No technology is perfect.

We believe that working with skilled security researchers from across the globe is crucial to identifying the weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome any contribution that helps us keep our users safe and to work with you to resolve the issue promptly.

Vulnerability Reporting Policy:

Eligibility to Participate:

To participate in our Bug Bounty Program,you must not:

Rules of Engagement:


Safe Harbor:

Any activities conducted in a manner consistent with this policy will be considered authorized conduct. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Disclosure of Vulnerabilities:


Web traffic to and from Outbrain properties produces petabytes of data every day. When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world. Please do the following when participating in Outbrain bug bounty programs:

When attempting to demonstrate root permissions with the following primitives in a vulnerable process please use the following commands:

Minimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.

Before causing damage or potential damage: Stop, report what you've found and request additional testing permission.


If our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:


Outbrain will make a best effort to adhere to the following response targets:

Type of ResponseBusiness days
First Response3 days
Time to Triage12 days
Time to Bounty20 days
Time to ResolutionDepends on severity and complexity


Domains in scope:

The following issues are considered out of scope:

Multiple bug reports that involve the same vulnerability but are on a different host, path or parameter will be considered as duplicated reports. Please report only the first that is discovered and include the others in the original report.



How is the severity determined?

Outbrain reserves the right to make a final decision regarding the severity of a reported finding. Upon receipt of the finding, we will conduct an internal investigation and determine the severity of the finding by considering multiple factors including but not limited to:

Valued Vulnerabilities

Here are some examples of common vulnerabilities and their classified severity range. Vulnerabilities not listed in the table are eligible as long as you follow the rules of the program.

WeaknessCWE-IDSeverity Range
OS Command InjectionCWE-78Critical
Cross-Site ScriptingCWE-79Low-High
SQL InjectionCWE-89High-Critical
Information ExposureCWE-200Low-Critical
Cross-Site Request ForgeryCWE-352Medium-High
Open RedirectCWE-601Low
Server-Side Request ForgeryCWE-918Medium-Critical

A valid submission will automtically add you to our official bug bounty program on HackerOne, which will allow you to submit more findings through the HackerOne platform directly.