Back to blog

Announcing the new Jenkins Bug Bounty Program

Wadeck Follonier
Wadeck Follonier December 10, 2025

It is with great pleasure that we announce the new Jenkins Bug Bounty Program! The European Commission (EC OSPO) has partnered with YesWeHack to launch bug bounty programs for several open source projects. The Jenkins project was selected as a valuable asset for public administration across the European Union.

The program will run for one year, rewarding security researchers who find and responsibly disclose security vulnerabilities in Jenkins.

Why a Bug Bounty Program?

Bug bounty programs complement our existing security practices by engaging the security research community in identifying and responsibly disclosing vulnerabilities.

This additional layer of scrutiny, combined with financial incentives, helps ensure Jenkins remains a secure and reliable automation server for organizations worldwide.

Program Details

  • Initial scope: Jenkins Core and its main components, and four plugins related to security

  • Reward: Up to €5,000 for valid critical findings!

  • Platform: Jenkins Bug Bounty Program on YesWeHack

  • Funding: European Commission

Depending on the level of interest and quality of reports, we will consider expanding the scope to other components of the Jenkins ecosystem.

For security researchers, it’s an additional reason to invest time on Jenkins. In addition to the white-box testing enabled by the open-source nature of the project, you can even get financial rewards for your efforts!

How Does It Work?

  • The in-scope reports are sent to the YesWeHack platform.

  • The initial triage is done by YesWeHack team.

  • Valid reports are then sent to the Jenkins Security Team for further analysis / validation, creating the corresponding SECURITY tickets.

  • Then the maintainers of the components are contacted to fix the issues.

This enhancement integrates seamlessly with our existing security workflow, while providing additional visibility and support from the European Commission and YesWeHack.

Thank You

We sincerely thank the European Commission and YesWeHack for making this program possible. Their support enables the Jenkins project to further strengthen its security posture and continue serving the open source community.

We invite security researchers to explore the program and help us make Jenkins more secure. Whether you’re a seasoned researcher or new to bug bounties, your contributions are valuable to the Jenkins community.

Happy hacking!

About the author

Wadeck Follonier

Wadeck Follonier

Wadeck is the Jenkins security officer, leading the security team in improving Jenkins security. He likes to provide solutions that are both useful and easy to use.