OpenCIRT payments and rewards

One of our main goals at OpenCIRT is to protect and secure as many systems as we can.

In order to achieve that, we operate a free platform where a security researcher can submit a report to any company, and there is never an obligation for the company to compensate us or the researcher.

With that said, considering our previous experiences and the fact that many companies appreciate that fact that our service is incredibly valuable because it allows them to keep security issues private, and fix them before they can be exploited maliciously by criminals – we encourage companies to reward the hacker based on the report’s severity.

Again, any compensation is always voluntary, never enforced.

If a company decides to compensate the hackers’ effort by assigning a bounty, the reward will be split between the hacker (who gets 75%) and OpenCIRT (25%).

Our cut is necessary for us in order to operate the platform, perform the report triage, and deliver all the logistics necessary to bring reports to the right hands at the receiver organization.

We accept payment from companies via wire transfers (within the EU) or Credit Card (globally), and we pay out hackers via wire transfers (non-FIAT options are in the plans as well). Payments to hackers are operated via Xolo Teams, which supports almost every in the world and guarantees a smooth payment process.

If you are from one of the following countries, you must be able to invoice us to get paid:

  • Afghanistan
  • Belarus
  • Crimea
  • Cuba
  • Iran
  • North Korea
  • Russia
  • Syria
  • Venezuela

If a hacker has submitted an anonymous report and it has been rewarded, of course, we keep 100% of the bounty. Those funds will be used for OpenCIRT direct bounties, assigned to security researchers in special cases when a vulnerability is highly impactful but there is no response/reward from the company.

If you have any questions about payments, please get in touch.