Contact Us

Developer Bug Bounty Program

February 5, 2026

In this article

Bug Bounty Program – For Artifex Website Properties

(These include, but are not limited to, artifex.com, ghostscript.com, mupdf.com, and pymupdf.io).

For website-related issues, please submit your bugs on our public bug tracker. Submitters of useful reports will receive a letter of recognition only. NO CASH BOUNTIES WILL BE PAID FOR WEBSITE RELATED SUBMISSIONS.

Out of Scope Bug Reports for Website Properties

The following lists out of scope items which we won't consider for bug reports:

  • Attacks requiring physical access to the victim's computer, including employee computer compromise
  • Man-in-the-middle attacks
  • Social engineering, phishing, or other fraud including but not limited to: internationalized domain name (IDN) homograph attacks, Right-to-left (RTL) Ambiguity, RTL Override (RTLO), SPF and DKIM issues, HTML content injection, Tabnabbing
  • Missing Security Headers (eg. HSTS, CSP) and Missing Secure Flags on Cookies
  • CSRF without any security impact
  • Rate limiting and XSS attacks
  • DMARC protection and email phishing & spoofing attacks

⚠️ There will be no bug bounties or letters of appreciation. People that repeatedly report bugs in these areas in defiance of this list will be excluded from consideration for all future possible bug bounties or letters of appreciation. Furthermore, user accounts from Bugzilla may be removed at our discretion.

Bug Bounty Program – For Software Products Ghostscript, GhostPDL, and MuPDF

The Artifex Bug Bounty Program recognizes the contributions of individuals who invest their time in making our software products (Ghostscript, GhostPDL, and MuPDF) better and more secure.

From the public bug tracker, you can view open issues, report new ones, and contribute analysis and fixes. If you wish to contribute fixes to Ghostscript, GhostPDL, or MuPDF you will need to read, understand, and sign the Artifex Contributor License Agreement.

We will gratefully accept bug reports and submissions of all kinds via our public bug tracker, and thank you for contributing to improving our software for all users.

In addition, through this program, we offer monetary compensation and recognition for 2 classes of bugs.

Firstly, fixes to bugs that have been marked 'bountiable' in our public bug tracker. These are bugs that Artifex employees have specifically marked, in advance, as being eligible for bounties. Please do not work on a bug that is not so marked in the hopes of it being marked bountiable once you have solved it. Always check with us first.

Such bounties are payable at the discretion of Artifex, and only once a submitted fix is accepted into the source tree. The amount paid for a fix will depend both upon the severity of the bug, and upon how much work is required to bring any proposed fix up to the required quality standard.

Secondly, for certain vulnerabilities disclosed properly to our engineering staff. Security vulnerabilities found in our software products must be reported to Artifex in compliance with the terms of the Artifex Security Policy. In order to be eligible for a reward under our bug bounty program, you must follow the responsible disclosure guidelines outlined on that page.

Reward levels are based on bug severity. To be considered for a bounty, please submit a comprehensive report which includes a detailed description of the bug, proof of concept, steps to reproduce, sample files, and if possible a proposed fix.

We will accept reports with a Proof of Concept (demonstrating an actual security flaw, not merely a theoretically exploitable issue) but no fix, and reports with a proposed fix but no proof of a security bypass, but for lower rewards. In all cases, final bug classifications will be determined by Artifex.

Typical reward levels are paid as follows:

  • P1 and P2 pay up to $1,000 (USD) each.
  • P3 or P4 pay up to $500 (USD) each.
  • P5 pay up to $100 (USD) each.

Artifex will evaluate each submission carefully, and at its own discretion determine whether a reward should be granted, and the amount of the reward. Not all reported issues qualify for a monetary reward.*

Thank you for helping to improve the quality and security of our software products.

*Artifex Software, Inc. complies with all US tax agency reporting requirements. We do not withhold taxes on bug bounty payments, but for US Citizens and US Resident Aliens, we will require an IRS form W9 for bounties over $600 before a payment can be made.

Acceptability of bug reports

  • Bug reports that are (or appear to be) auto-generated (either wholly or significantly by AI or otherwise) without a supporting proof of exploit will not be considered.
  • In addition, users that repeatedly submit spurious or incorrect bug reports (whether AI assisted or otherwise) risk being banned from participating in the program in future.

Writing a good bug report

The primary goal of a good bug report is to enable the developer responsible for fixing it to understand and/or reproduce the issue.

As such every bug report should ideally contain:

  • A detailed description of the bug.
  • Steps to reproduce it (if possible).
  • All the sample files required to reproduce the problem (input files, not output files!)
  • Details of the system on which it fails.
  • (If possible) a proposed fix.