FunCaptcha Bug Bounty Program

FunCaptcha recognizes the importance of security researchers in helping keep our product secure and our users safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.

Responsible Disclosure

Responsible disclosure includes:

  1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
  2. Making a good faith effort to not leak or destroy any FunCaptcha user data.
  3. Not defrauding FunCaptcha users or FunCaptcha itself in the process of discovery.

FunCaptcha will not pursue legal action against security researchers who follow the guidelines outlined in this page and responsibly disclose vulnerabilities to us.


If you’d like to be recognized for your contribution, we’d love to add you to our Hall of Fame list, by name or anonymously. We reward cash bounties for valid FunCaptcha API reports.


FunCaptcha reserves the right to decide if the minimum severity threshold is met and whether it was previously reported.

In general, anything which has the potential for bypass of solving FunCaptcha or data breach is of sufficient severity, including:

  • Authentication bypass or privilege escalation
  • Remote code execution
  • Obtaining user information
  • Bypassing FunCaptcha without having to participate in the challenges
  • Automating solving FunCaptcha challenges
  • Bypassing public/private key validation

In general, the following would not meet the threshold for severity:

  • Denial of service
  • Spamming
  • Clickjacking, XSS or others that do not demonstrate a viable proof of concept for attack.

Attacks on should have the potential to affect the consistency, integrity of the data and/or web service, or allow an attacker to access/modify other users’ data.

For vulnerabilities that require specific actions to be taken by a target, i.e. clickjacking, you must be able to demonstrate that it be reasonable and practical to carry out such an attack, and that the severity of the threat meets our requirements.

Domains not in scope

  • Any code loaded from non domains


How To Disclose

You can disclose a vulnerability by clicking this link:

Disclose a vulnerability

Please include if possible:

  • Description and potential impact
  • Steps to reproduce the issue or a proof of concept
  • Name and link for attribution on this page

Thank you for your help!