• Points per vulnerability

Program stats

168 vulnerabilities rewarded

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

ICEcoder is an open-source browser code editor, which provides a modern approach to building websites.

By allowing you to code directly within the web browser, online or offline, it means you only need one program (your browser) to develop sites, plus can test on actual web servers. After development, you can also maintain the website easily, all of which make for speedy and smart development.

Because it can be web based you can use it from any internet enabled computer with a modern browser and because it's open-source, customise it to your liking, integrating with online services. If you'd like to use it as a desktop code editor, no problems, you only need PHP 5.0+ (though 5.3+ is recommeded), so you can use on Linux and on PC via MAMP or XAMPP and Mac via WAMP (or another PHP installation).

ICEcoder was created because web devs (like myself) always complained their code editor didn't do exactly what they like. They're often bloated with features, slow and awkward. Conversely, ICEcoder is lightweight (zip is around 0.4mb) and boots in seconds (often 1-2s). Oh, and it's also free. Enjoy!


In scope

Out of scope

Before you begin, please read and understand the Standard Disclosure Terms.

In scope for this bounty:

  • ICEcoder editor (<a href="">Download and install</a> on your local system) If you encounter a functionality issue, please <a href="">check our Github</a> and file an issue if it does not exist.

Not in scope for this bounty:

  • website

Program Rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.


  • The ICECoder manual ( purposely has no X-Frame-Options header setting to so it can be used externally (in ICEcoder installs), so Clickjacking reports will not be rewarded.

  • Plugin data ( is also purposely publicly available. This information is used by ICECoder installations. Reports will not be rewarded.