Vercel 开源软件Bug赏金计划现已可用
来源: Vercel News
Security is foundational to everything we build at Vercel. Our open source projects power millions of applications across the web, from small side projects to demanding production workloads at Fortune 500 companies. That responsibility drives us to keep investing in security for the platform and the broader ecosystem.
Today, we're opening the Vercel Open Source Software (OSS) bug bounty program to the public on HackerOne. We're inviting security researchers everywhere to find vulnerabilities, challenge assumptions, and help us reduce risk for everyone building with these tools.
Since August 2025, we've run a private bug bounty for our open source software with a small group of researchers. That program produced multiple high-severity reports across our Tier 1 projects and helped us refine our processes for triage, fixes, coordinated disclosure, and CVE publication. Now we're ready to expand.
Building on our foundation of security investment
Last fall, we opened a bug bounty program focused on Web Application Firewall and the React2Shell vulnerability class. Rather than wait for bypasses to surface in the wild, we took a proactive approach: pay security researchers to find them first.
That program paid out over $1M across dozens of researchers who helped us find and fix vulnerabilities before attackers could. The lesson was clear. Good incentives and clear communication turn researchers into partners, not adversaries.
Opening our private OSS bug bounty program to the public is the natural next step. Security vulnerabilities in these projects don't just affect Vercel; they affect everyone who builds with these tools. Finding and fixing them protects millions of end-users.
Which projects are covered
All Vercel open source projects are in scope. The projects listed below represent the core of the Vercel open source ecosystem. These are the frameworks, libraries, and tools that millions of developers rely on daily.
Core projects included in the HackerOne program
Project | Description |
|---|---|
React framework for production web applications | |
Vue.js framework for modern web development | |
React Hooks library for data fetching | |
Framework for building user interfaces | |
High-performance build system for monorepos | |
TypeScript toolkit for AI applications | |
Command-line interface for Vercel platform | |
Durable workflow execution engine | |
Feature flags SDK | |
Tiny millisecond conversion utility | |
Universal server engine | |
Semaphore for async operations | |
The open agent skills tool: npx skills |
These are the projects where vulnerabilities have the highest potential impact, and where we prioritize incident response, vulnerability management, and CVE publication.
How to participate
If you’re a security researcher and ready to start hunting, visit HackerOne to find everything you need: scope details, reward ranges, and submission guidelines.
When you find a vulnerability, submit it through HackerOne with clear reproduction steps. Our security team reviews every submission and works directly with researchers through the disclosure process. We're committed to fast response times and transparent communication.
We appreciate the researchers who take the time to dig into our code and report issues responsibly. Your work helps keep these projects safer for everyone.
Join our bug bounty program or learn more about security at Vercel.