Security News > 2021 > April > Reddit Launches Public Bug Bounty Program

Reddit this week announced the launch of a public bug bounty program on the vulnerability hunting platform HackerOne.

Following a three-year private bug bounty program on HackerOne, which has resulted in over $140,000 being awarded in bug bounties for 300 vulnerability reports focusing on reddit.com, the program is going public with an expanded scope.

"In addition to user posted content, it is important that Reddit maintain the confidentiality of user identities and the integrity of discussions in Reddit's communities and private spaces. It is with these things in mind that Reddit evaluates the impact and severity of each reported vulnerability," Reddit says.

Researchers interested in participating are prohibited from accessing other users' accounts or data, from publicly disclosing the identified vulnerabilities unless they have Reddit's explicit consent, or from sharing details on the bugs before the Reddit staff patches them.

Researchers are prohibited from scanning Reddit's internal network after gaining remote access to a server, as well as from abusing discovered vulnerabilities to upload malware, to further weaken the security of impacted systems, or from affecting the performance or availability of Reddit.

Full details on the assets in- and out-of-scope of the public bug bounty program - along with information on what Reddit expects from the researchers interested in participating in its program, and on what it's offering them - can be found on the program's HackerOne page.

News URL

http://feedproxy.google.com/~r/Securityweek/~3/zbV1tZxHvmw/reddit-launches-public-bug-bounty-program