Bug Bounty Program

Earn money and recognition for your responsible security disclosures!

Gluu, Inc.


600 Congress Ave. Floor 14
Austin, TX 78701


Schedule a call

Need to get in touch with us? Click the button below to access our online calendar.

White Hat Bug Bounty Program

Gluu fully supports and values the security research community. As such, we encourage researchers to responsibly disclose security vulnerabilities after reviewing our responsible disclosure policy and bug bounty guidelines found on this page.

Responsible Disclosure Policy

Responsible disclosure of security vulnerabilities helps ensure security and privacy for our community. Responsible disclosure includes:

  • Provide us with a reasonable amount of time to fix the security vulnerability before publishing your find.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of services during your research and testing.
  • Only target vulnerabilities in your own deployments for the purpose of your security research, and never attempt to access or disrupt another user’s service.
  • We will not bring legal action against any researcher who discloses security vulnerabilities using the responsible disclosure guidelines above.

Bug Bounty

To show our appreciation and respect to the security researchers who volunteer their time to improving our products, we offer a monetary bounty for certain security bugs.


In addition to adhering to our Responsible Disclosure Policy above, to qualify for a bounty reward you must be the first individual to responsibly disclose the bug, and report a security vulnerability that could compromise the integrity of Gluu products or user data, circumvent privacy protections, or enable unauthorized access to systems protected by Gluu. Our bug bounty also covers SDKs, libraries and plugins developed and supported by Gluu, but excludes third party developed libraries, plugins, applications etc.

Qualifying Bugs

  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Authentication Flaws (e.g. Gluu OAuth bugs)
  • Remote Code Execution
  • Privilege Escalation
  • Code Injection

Non-qualifying Bugs

Typically, the following types of bugs are not eligible for a bounty:

  • Security vulnerabilities on sites hosted by third parties unless they lead to a vulnerability in Gluu products
  • Security vulnerabilities in third party applications which use Gluu APIs
  • Security vulnerabilities in third party plugins, libraries or tools that use Gluu APIs
  • Denial of service (DoS)
  • Spamming
  • Social Engineering
  • Bugs affecting outdated or unpatched browsers
  • Biometric forgeries


The minimum bounty for a qualifying security vulnerability is $100 USD. There is no maximum bounty; the value of the bounty is based on a combination of the severity of the bug and creativity of the exploit.

Receive payment by: check (if U.S. citizen); PayPal, Payoneer, Venmo.

Only 1 bounty per bug will be awarded.

Security researchers who don’t want to collect a bounty may have their reward donated to an approved charity upon request.

You must reside in a country not under any current U.S. Sanctions to qualify for a reward.

How to Report a Bug

If you believe you’ve discovered a security vulnerability in any of Gluu’s products, you may responsibly disclose your find by sending an email to security@gluu.org.

Description of vulnerability and potential impact

Please include a detailed description of steps taken to reproduce the bug or proof of concept, name and/or link for (optional) attribution on this page.