Gerobug: The First Open Source Bug Bounty Platform.

Gerobug

The first open source self-managed bug bounty platform.

Are you a company, planning to have your own bug bounty program, with minimum budget?

WE GOT YOU!

We are aware that some organizations have had difficulty establishing their own bug bounty program.
Using a third-party managed platform usually comes with a hefty price tag and security risks. (If you know, you know...)
In the other hand, creating your own self-managed platform will take time and effort to build and maintain it.

Why Gerobug?

• EASY                     : Have your bug bounty program running with just single line of command
• SECURE                 : Gerobug uses email parser and network segregation to minimize security risks.
• OPEN SOURCE     : It is FREE.

(Minimum) Recommended Specification

• Ubuntu 24.04
• vCPU 2 Core
• RAM 2 GB
• HDD 16 GB

Requirements

• Gmail or Outlook Email with App password implemented
• VPN Server (Recommended for Production Server)
• Domain for HTTPS (Recommended for Production Server)
• Port 80, 443, 6320
• Python 3.x
• Docker
• Docker Compose v2

(You don't need to install anything manually, we'll do it for you!)

Deployment and Usage

To deploy gerobug:

1. Clone this repository

   git clone https://github.com/gerobug/gerobug
   cd gerobug

2. Run the Setup Script:

   ./gerobug.sh

3. Follow the setup instructions (Read the documentation for details)
4. By default, Gerobug Dashboard will listen at port 6320

Access the login page at http://[Domain/IP]:6320/login

Credential
Username  : geromin
Password   : Randomly generated at gerobug/gerobug_dashboard/secrets/gerobug_secret.env

You can read the detailed documentation here

Main Features

• Network Segregation
  All services are running on seperate containers. Public users should only able to access the static page (Rules and guidelines).

• Easy and Quick Installation
  Use our run script to install Gerobug, its quick and easy!

• HTTPS Implementation
  Automated HTTPS configuration using NGINX and Let's Encrypt.

• Homepage
  This should be the only page accessible by public, which contains Rules and Guidelines for your bug bounty program.

• Email Parser
  Bug Hunter will submit their findings by email, which Gerobug will parse, filter, and show them on dashboard.

• Auto Reply and Notification for Bug Hunters
  Bug Hunter's inquiries will be automatically replied and notified if there any updates on their report.

• Notification Channel
  Company will also be notified via Slack/Telegram if there any new report.

• User Management
  Gerobug has a role-based user management.

• Report Management
  Manage reports easily using a kanban model dashboard.

• Report Filtering and Flagging
  Reports from Bug Hunter will be filtered and flagged if there are duplicate indication.

• CVSS / OWASP Risk Calculator
  Gerobug has an integrated CVSS / OWASP Risk Calculator to support the bug review process.

• Email Blacklisting
  Gerobug can temporarily block and release emails that conducted spam activity.

• Auto Generate Certificate
  We can generate certificate of appreciations for bug hunters so you don't have to ;)

• Personalization
  You can customize Gerobug to fit your brand colors

• Logging and Log Rotation
  Gerobug have internal audit log with log rotation enabled

• Hall of Fame / Wall of fame / Leaderboard
  Yeah we have it too

Authors

• @VGR6479
• @as3ng
• @jessicaggan

Feedback

If you have any feedback, please reach out to us at gerobug.id@gmail.com