Researcher-First Bounty Management Platform
Fair triage. Transparent decisions. Proven results.
Vuneum is a bounty management platform built for researchers and the organizations that work with them. It handles the full lifecycle of a bug bounty program — from submission through payout — with transparency and fairness at every step.
Vuneum is not a security scanner, not an AI pentesting tool, not a recon framework, and not an exploit automation platform. It does not find vulnerabilities. It manages the human process around them.
- A program management dashboard for organizations running bounty programs
- A structured submission and tracking system for security researchers
- A triage workflow that requires proof at every decision point
- A transparent duplicate-claim system backed by mandatory evidence
- A dispute resolution process with documented arguments and decisions
- A payout tracker where the platform only earns when the researcher gets paid
- A public transparency dashboard showing real metrics for every program
- A reputation system based on signal quality, not gamification
| Principle | What it means |
|---|---|
| Fair Triage | Every report gets reviewed. No silent closes. No ignored submissions. |
| Proof-Based Decisions | Duplicate claims, severity changes, and rejections require documented reasoning. |
| Immutable Timeline | Every status change creates a permanent, auditable event. |
| Aligned Incentives | The platform fee applies only when a valid bounty is paid. If the researcher doesn't eat, Vuneum doesn't eat. |
| Public Accountability | Transparency metrics — response times, duplicate rates, total paid — are visible for every program. |
| Researcher Voice | Researchers can dispute decisions with a documented review process. |
- Program Management — Create and manage bounty programs with scope definitions, reward tables, severity classifications, and disclosure policies.
- Structured Triage — Reports move through a validated state machine. Triagers cannot skip steps or close without evidence.
- Duplicate Control — Marking a report as duplicate requires five mandatory proofs: root cause, asset comparison, impact overlap, submission timing, and triager reasoning.
- Dispute Resolution — Researchers can challenge decisions. Every dispute is documented with arguments, responses, and final rulings.
- Payout Tracking — Track rewards, fees, and net researcher payouts. Platform fees apply only to paid valid bugs.
- Evidence-Based Submissions — Submit with structured impact assessments, reproduction steps, PoC attachments, and suggested fixes.
- Status Visibility — See exactly where your report stands in the triage pipeline, with a complete timeline of every action taken.
- Dispute Rights — Challenge duplicate decisions, severity downgrades, invalid rejections, and payout issues through a formal review process.
- Meaningful Reputation — Reputation based on valid reports, PoC quality, severity accuracy, and signal. No fake gamified points.
- Public Transparency — Every program exposes real metrics: average response time, triage time, duplicate rate, rejection rate, total paid, and valid report count.
- Dark & Light Mode — Clean, professional interface built for long sessions.
For setup instructions, see docs/DEVELOPMENT.md.
For API documentation, see docs/API.md.
MIT — see LICENSE.
Copyright (c) 2026 cyber security community
Contributions are welcome. See CONTRIBUTING.md for guidelines, and CODE_OF_CONDUCT.md for community standards.
Security issues should be reported privately — see SECURITY.md.
Vuneum — Aligned incentives, fair outcomes.