The Artifex Bug Bounty Program recognizes the contributions of individuals who invest their time in making our software products (Ghostscript, GhostPDL, and MuPDF) better and more secure. Through this program, we offer monetary compensation and recognition for fixes to bugs that have been marked 'bountiable' in our public bug tracker, or for certain vulnerabilities disclosed properly to our engineering staff. From the public bug tracker, you can view open issues, report new ones, and contribute analysis and fixes. If you wish to contribute fixes to Ghostscript, GhostPDL, or MuPDF you will need to read, understand, and sign the Artifex Contributor License Agreement.

Security vulnerabilities found in our software products must be reported to Artifex in compliance with the terms of the Artifex Security Policy. In order to be eligible for a reward under our bug bounty program, you must follow the responsible disclosure guidelines outlined on that page.

Reward levels are based on bug severity. To be considered for a bounty, please submit a comprehensive report which includes a detailed description of the bug, proof of concept, steps to reproduce, sample files, and accepted fixes. In all cases, final bug classifications will be determined by Artifex.

Typical reward levels are paid as follows:

  • P1 and P2 pay up to $2,000 (USD) each.
  • P3 or P4 pay up to $1,000 (USD) each.
  • P5 pay up to $200 (USD) each.

Artifex will evaluate each submission carefully, and at its own discretion determine whether a reward should be granted, and the amount of the reward. Not all reported issues qualify for a monetary reward.*

Thank you for helping to improve the quality and security of our software products.

*For problems/vulnerabilities other than in our software, such as with any website controlled by Artifex Software, Inc, please contact us. Rewards for such reports are handled on a case by case basis, and useful reports will receive, at a minimum, a letter of appreciation.

Artifex Software, Inc. complies with all US tax agency reporting requirements. We do not withhold taxes on bug bounty payments, but for US Citizens and US Resident Aliens, we will require an IRS form W9 for bounties over $600 before a payment can be made.