Bug Bounty

Bug Bounty Program – For Artifex Website Properties

(These include, but are not limited to, artifex.com, ghostscript.com, mupdf.com, and smartoffice.com).

For website-related issues, please submit your bugs here. Submitters of useful reports will receive a letter of recognition only. NO CASH BOUNTIES WILL BE PAID FOR WEBSITE RELATED SUBMISSIONS.

Before submitting a report please review the list of issues which are considered to be out of scope.

Bug Bounty Program – For Software Products Ghostscript, GhostPDL, and MuPDF

The Artifex Bug Bounty Program recognizes the contributions of individuals who invest their time in making our software products (Ghostscript, GhostPDL, and MuPDF) better and more secure. Through this program, we offer monetary compensation and recognition for fixes to bugs that have been marked 'bountiable' in our public bug tracker, or for certain vulnerabilities disclosed properly to our engineering staff. From the public bug tracker, you can view open issues, report new ones, and contribute analysis and fixes. If you wish to contribute fixes to Ghostscript, GhostPDL, or MuPDF you will need to read, understand, and sign the Artifex Contributor License Agreement.

Security vulnerabilities found in our software products must be reported to Artifex in compliance with the terms of the Artifex Security Policy. In order to be eligible for a reward under our bug bounty program, you must follow the responsible disclosure guidelines outlined on that page.

Reward levels are based on bug severity. To be considered for a bounty, please submit a comprehensive report which includes a detailed description of the bug, proof of concept, steps to reproduce, sample files, and accepted fixes. In all cases, final bug classifications will be determined by Artifex.

Typical reward levels are paid as follows:

  • P1 and P2 pay up to $2,000 (USD) each.
  • P3 or P4 pay up to $1,000 (USD) each.
  • P5 pay up to $200 (USD) each.

Artifex will evaluate each submission carefully, and at its own discretion determine whether a reward should be granted, and the amount of the reward. Not all reported issues qualify for a monetary reward. *

Thank you for helping to improve the quality and security of our software products.

*Artifex Software, Inc. complies with all US tax agency reporting requirements. We do not withhold taxes on bug bounty payments, but for US Citizens and US Resident Aliens, we will require an IRS form W9 for bounties over $600 before a payment can be made.