huntr

Huntr is a specialized bug bounty platform focused exclusively on artificial intelligence and machine learning projects. It serves as a central point for security researchers to discover, document, and submit vulnerabilities found in open-source AI/ML libraries, frameworks, toolkits, and model file formats. The platform currently hosts over 240 distinct programs from major organizations including NVIDIA, MongoDB, Hugging Face, PyTorch, Keras, ONNX, Jupyter, AWS, NLTK, Kubeflow, DeepMind, TensorRT, Triton Inference Server, Tokenizers, Netflix, Elastic, and many others. Each program offers monetary bounties that vary by severity and impact, with typical rewards ranging from $900 to $1500 per valid vulnerability report. The primary function of Huntr is to streamline the process of vulnerability disclosure for AI/ML software. Security researchers can browse the list of participating projects, read their specific scope and rules, and then submit detailed vulnerability reports through the platform’s submission interface. Reports are expected to include clear descriptions, proof-of-concept code, and reproduction steps. Maintainers of the targeted projects review each submission, validate the issue, and then assign a bounty based on the risk and exploitability. This structured workflow reduces friction for both researchers and project owners, ensuring that critical flaws are addressed quickly before they can be exploited in real-world deployments. Huntr covers a wide range of attack surfaces unique to AI/ML systems. This includes vulnerabilities in model serialization formats (e.g., ONNX, PyTorch’s .pt files, TensorFlow’s SavedModel), injection attacks through malformed inputs, data poisoning vectors, insecure deserialization in libraries like Pickle, adversarial manipulation o