There are a couple of new bug bounty programs on HackeOne for popular open source libraries:

  • libcap
  • ImageMagick
  • libpng
  • GraphicsMagick
  • curl
  • tcpdump

They just started on last week (Sep 22nd, 2017). You can find the rules, scope and other details on HackerOne

Those are well-known tools and libraries, and they have already gotten quite much attention from the security community. So, looks like it’s going to be challenging to discover new issues there. Looking for a challenge? This may be a good one for sure. By the way, minimum bounty is $500. Not too much, but you also are going to get some credit for making the world better.

The libraries are mostly written in C/C++, so you may want to start with fuzzing. Although, if you search for fuzzing results for the libs above, you are going to find that security researches put some effort on it. On the other hand, it’s never worse to try even harder. Someone can also contribute to Google’s OOS-fuzz project, and add support for fuzzing those libraries. OSS-fuzz already has libpng and curl, but seems like there may be some room for libcap, ImageMagick, GraphicsMagick and tcpdump.

Good luck!