So how do I know if there is bug bounty available for vulnerabilities in exiftool? Or ghostscript? Or ffmpeg, openssl, gnutls, sox, or any number of other packages I may be using?
For open source libraries, you are usually better off finding a large company that uses it in some exposed way, then submitting it to their bug bounty.
Sometimes you can even collect the bounty multiple times by sending it to multiple companies, so long as the first one doesn't submit the fix before the second even looks at the report...
There is at least one bug bounty available for all open source projects.
I run a bug bounty where if you tell me about the high level details of a bug and it sounds interesting, I will buy you a drink (up to $20, so that's the bounty) in exchange for you telling me all the details.
All applications for my bug bounty program must be in person, feel free to take me up on it!
