Reddit Policy

Program Terms

Reddit's responsible disclosure and bug bounty program is focused on protecting our users' private data, accounts, and identities. The vast majority of data posted to Reddit every day is intended to be public, however Reddit does host private data including messages, chats, voting records for accounts without the public voting option enabled, subreddit subscriptions (when tied to a user), and (optional) email addresses.

In addition to user posted content, it is important that Reddit maintain the confidentiality of user identities and the integrity of discussions in Reddit's communities and private spaces. It is with these things in mind that Reddit evaluates the impact and severity of each reported vulnerability.

The scope for Reddit's program includes most of our assets---if it's not explicitly out-of-scope, and has meaningful security impact, it's fair game. This includes all subdomains of reddit.com and snooguts.net.

Good Faith

To be eligible to participate in Reddit's bug bounty program we ask that all hackers act in good faith, which means:

• Don't try to access other users' accounts or data --- respect their privacy.
• Don't publicly disclose a vulnerability without Reddit's explicit consent.
• Don't discuss vulnerability details with anyone other than Reddit staff before we can patch the vulnerability.
• Don't leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don't identify the possibility yourself.
• Don't upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.
• Don't leave systems in a more vulnerable state.
• Don't take any action that could impact the performance or availability of Reddit.
• Don't make copies of Reddit's private production data as "proof". The report should suffice as proof of impact.
• Be respectful of our team.

Failure to follow these rules will result in your reports being ineligible for bounty awards.

Eligibility to Participate

• Must abide by Reddit's User Agreement if testing with a Reddit account.
• Must utilize HackerOne platform for all submissions to receive any payout, thereby abiding by HackerOne's terms of service and privacy policy.
• Reddit employees, contractors who are currently working with Reddit, or have worked with Reddit in the previous 6 months, or immediate family members of either are not eligible for bug bounties.

Report Quality

Reports are expected to be thorough and contain enough information that Reddit's security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots and Test account IDs are encouraged while videos are discouraged, unless necessary.

Reports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.

Testing Guidelines

We encourage the use of HackerOne email aliases <username>@wearehackerone.com when creating Reddit accounts for testing purposes. This will help differentiate your testing activities from regular traffic.

Severity Determination

Reddit determines the severity of issues based on the asset's criticality, the impact of the issue, and data sensitivity. Reddit will categorize valid submissions in one of the following categories at its sole discretion. Vulnerabilities are primarily rated by their impact on the confidentiality of private data and safety using the Reddit platform.

Critical

Critical severity vulnerabilities are those that result in the bulk compromise of user data such as password hashes, private messages, private chats, and email addresses, the ability to bypass authentication and gain access to targeted accounts, or compromise of Reddit infrastructure.

Examples of critical severity vulnerabilities include:

• Remote Command Execution (RCE)
• SQL Injection (SQLi)
• Authentication bypass resulting in access to a user's account and private data.
• Access to production secrets such as access tokens that can be used to copy sensitive data.
• Unauthorized elevation of a regular Reddit account to admin privileges.
• Authentication bypass that exposes payment information and payment limits of Reddit Ads clients.
• Reddit's private financial information, like future quarterly reports and company deals.
• Authentication bypass resulting in unlimited access to Reddit Awards.

High

High severity vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private groups or subreddits.

Examples of high severity vulnerabilities include:

• Cross-site Scripting (XSS), that bypasses our Content Security Policy (CSP), on reddit.com and ads.reddit.com.
• Bypassing authorization to read or post to private subreddits.
• Cross-site Request Forgery (CSRF) or similar attacks provided they result in access to another user's account or data.
• Bypassing two-factor authentication (2FA) in the Reddit application.
• The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions.
• Performing limited admin actions without authorization.
• Ability to identify real users who are using Anonymous Browsing Mode (ABM) in native apps.

Medium

Medium severity vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access to less sensitive information.

Examples of medium severity vulnerabilities include:

• Cross-site Scripting (XSS) without a CSP bypass.
• Cross-site Request Forgery (CSRF) or similar attacks to make a user take an authenticated action they didn't intend, such as subscribing or unsubscribing to subreddits or voting on posts/comments.
• Disclosing the titles of posts or the usernames of all members in private subreddits.
• Removing a moderator from a subreddit where you are not a moderator with "access" permissions.
• Unbanning a user that has been banned from a subreddit without appropriate permissions.
• Cache Poisoning.
• Server-side Request Forgery (SSRF), with sensitive data exposure.
• Open Redirects on in-scope domains.
• LLM prompt injection with sensitive data exposure.

Low

Low severity vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn't, but with limited security implications.

Examples of low severity vulnerabilities include:

• Self-XSS
• Bypassing domain restrictions on posted content.
• Forcing users to use, or not use, the redesign or other early-access features.
• Disclosure of voting records for accounts without the public voting option enabled.
• Password brute-forcing that circumvents rate limiting.
• Functionality or features that are accessible through the API but not available via the UI, which have security implications.
• Functionality that is either undocumented or functions differently from its documentation, with a security impact.
• Server-side Request Forgery (SSRF), without sensitive data exposure.
• Open redirects in non-core assets.
• LLM prompt injection, without sensitive data exposure.

Rewards by Severity

We will determine rewards for reports based on the criticality of the asset, the impact of the issue, and the sensitivity of any leaked data. Each report will be evaluated individually by our security team. We may offer higher rewards for unique, hard-to-discover bugs. We may also pay less for bugs with complex prerequisites that lower risk of exploitation.

Out-of-Scope

We generally do not accept logic bugs unless they result in the disclosure of security information, financial data, or cause disruption to our services.

Reddit agnostic

• Attacks requiring physical access to, root privileges on, or MITM of a user's device.
• Account Oracles - the ability to determine if an email address or username is in use.
• Attacks targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.
• Insecure cookie settings / flags on non-login cookies.
• Missing HTTP security headers (CSP, HSTS, etc.).
• Weak SSL/TLS/SSH algorithms or protocols.
• Lack of certificate pinning (improper certificate validation still eligible)
• CSRF with no security impact (unauthenticated/logout/login CSRF).
• Best practices violations (password complexity, expiration, re-use, etc.).
• Clickjacking on pages with no sensitive actions.
• Component version disclosure without accompanying proof of vulnerability.
• Previously known vulnerable libraries without a working Proof of Concept.
• 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it's fair game.
• Disclosure of internal tracebacks (unless sensitive environment data is also leaked).
• Comma Separated Values (CSV) injection.
• Reflected file download.
• Content spoofing and text injection issues without being able to modify HTML/CSS.
• Re-usage of passwords from public dumps.
• Homograph links.
• Mobile app crashes.
• Tabnabbing / window.origin not being cleared on new tabs or windows.
• Deep links for Android missing autoVerify=true due to current Google limitation with AMP (may change in future).
• XSS from copying/pasting in code into DevConsole or the like.
• LLM Model Hallucinations.
• Security issues with SaaS applications that require fixes from the SaaS provider, rather than Reddit configurations, should be reported directly to the respective SaaS provider.

Reddit specific

• Web cache poisoning on any of our domains that host Zendesk or HubSpot content (redditinc.com, reddithelp.com, etc)
• Mobile app hardcoded secrets that are Sentry, Twitter, Crashlytics, Firebase, or Branch. On Dubsmash, the Kinesis AWS key is out of scope as it's non-vulnerable.
• Functionality available through the API but not present in the UI, without any impact on security.
• Commenting on removed / deleted posts (explicitly allowed unless a post is locked).
• Enabling predictions/tournaments on subreddits for communities which are not qualified to the above 10000 subscribers.
• https://*.reddit.com/etc/passwd.
• Sessions not being invalidated on logout (they are invalidated on password change, 2FA being enabled, etc.).
• Bypassing rate-limits or the non-existence of rate-limits that have no platform impact. Example: https://vpn.snooguts.net/login.
• Exposure of internal domains on public domains.
• Enabling a setting early but not being able to use the early feature in practice.
• Reddit.com password length issue (Reddit uses bcrypt which is capped at 72 characters) https://hackerone.com/reports/1168804.

Denial of service attacks

Reddit does not allow denial of service attacks, and they are considered out of scope for our bug bounty program. This includes any attack that is designed to disrupt or disable the normal operation of our website or services.

In-scope domains (inclusive of all subdomains)

Check the Scope tab.

Out-of-scope domains

• spell.ml.
• www.meaningcloud.com.
• Any SaaS or other service provider domains that are not mentioned in the Scope tab.

If you think it's something owned by Reddit, you can send it along - we'll decide if it's out-of-scope.

Confidentiality

Any information you receive or collect about Reddit, Reddit's systems, or any of our users, employees, or agents in connection with the Bug Bounty Program ("Confidential Information") must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.