huntr.com discontinued

For a while now, 3rd-party bug bounty platform huntr.com has offered bounties for vulnerabilities in some ASF projects. Since reporters reporting through huntr.com didn’t use our documented disclosure process we didn’t provide any guarantees, but we’d periodically evaluate them as a courtesy.

Perhaps due to other bounty programmes closing, perhaps due to LLM tools becoming more widespread, the volume exploded and the quality imploded. By now the majority of reports coming in through our reporting process are LLM-assisted in some way, but the ones coming in through huntr.com appear especially ‘sloppy’. Combined with the fact that there’s no good API to manage reports, it’s no longer sustainable for us to accept reports through this platform. We have notified huntr.com of this but received no response.

If you don’t care about the huntr.com bounty, you may evaluate your report against the projects’ security model (typically linked from https://security.apache.org/projects/) and submit through the official channel, mentioning the Huntr UUID of your previous report. Note that there is no bug bounty, though.