The Vercel OSS Bug Bounty program is now available

Vercel has launched a public bug bounty program on HackerOne for its open-source projects, inviting security researchers to identify vulnerabilities and enhance the security of its widely-used tools, which include frameworks like Next.js and Nuxt, among others. This initiative follows a successful private bug bounty program that began in August 2025, which yielded significant security insights and improvements. By opening the program to the public, Vercel aims to build on its proactive security measures that previously paid out over $1 million to researchers, emphasizing collaboration over confrontation. The program covers all Vercel open-source projects, prioritizing those with the highest potential impact, and provides clear guidelines for participation and reporting. Researchers are encouraged to submit vulnerabilities with detailed reproduction steps via HackerOne, where Vercel's security team is committed to prompt and transparent handling of disclosures to protect the millions of applications relying on these tools.