Help us keep Octopus secure for everyone. Find vulnerabilities, report them responsibly, and earn rewards.
We reward security researchers based on the severity and impact of their findings.
Up to $2,000 for critical vulnerabilities like RCE, auth bypass, or data leaks.
Exclusive Octopus stickers, t-shirts, and limited-edition merch for valid reports.
Free usage credits on Octopus so you can review more PRs on us.
Your name in our Hall of Fame, README, and a contributor badge on your profile.
Rewards scale with the impact of the vulnerability. Here is how we classify findings.
RCE, authentication bypass, mass data exposure, SQL injection
$500 - $2,000 + swag + credits
Stored XSS, IDOR, privilege escalation, API key leakage
$100 - $500 + swag + credits
CSRF, reflected XSS, information disclosure, open redirect
Swag + credits + recognition
Minor misconfiguration, missing security headers, best practice violations
Recognition + sticker pack
Only test within the defined scope. Out-of-scope submissions will not be eligible for rewards.
Follow these guidelines to ensure your research is authorized and eligible for rewards.
Give us 90 days to fix the issue before any public disclosure.
Only test against accounts you own. Do not access other users' data.
Do not use automated mass scanning tools that degrade service for others.
Submit reports through the designated channels listed below.
One vulnerability per report. Chaining is fine, but describe each step.
Do not publicly disclose the vulnerability before we confirm the fix.
Write your report in English with clear reproduction steps.
Security researchers who helped make Octopus safer.
Be the first to earn a spot here.
Submit a reportChoose the channel that works best for you. Include clear reproduction steps and the expected vs. actual behavior.
Octopus reserves the right to modify or cancel this program at any time.
Reward amounts are at our discretion based on impact and quality of the report.