Announcing Reddit’s Public Bug Bounty Program Launch

https://www.reddit.com/r/RedditSafety/comments/mqse9a/announcing_reddits_public_bug_bounty_program/

created by securimancer on 14/04/2021 at 15:01 UTC*

580 upvotes, 29 top-level comments (showing 25)

Hi Reddit,

The time has come to announce that we’re taking Reddit’s bug bounty program public!

As some of you may already know, we’ve had a private bug bounty program with HackerOne over the past three years. This program has allowed us to quickly address vulnerabilities, improve our defenses, and help keep our platform secure alongside our own teams’ efforts. We’ve also seen great engagement and success to date, having awarded $140,000 in bounties across 300 reports covering the main reddit.com platform, which worked well for our limited scope during the private program.

With our continued growth and visibility, we’re now ready to make the program public and expand the participation to anyone wanting to make a meaningful security impact on Reddit. As we scale the program, our priority will remain focused on protecting the privacy of our user data and identities. We know each security researcher has their own skills and perspective that they bring to the program, and we encourage anyone to submit a report that shows security impact. We’re super excited to hit this milestone and have prepared our team for what’s to come.

You can find our program definition over on redditinc.com[1] or HackerOne[2], and we welcome any submissions to whitehats@reddit.com[3]. We’re still keeping the Whitehat award for that Reddit bling as well. We look forward to all the submissions about LFI via reddit.com/etc/passwd and how old Reddit’s session cookie persists after logout.

1: https://www.redditinc.com/policies/bug-bounty-program

2: https://hackerone.com/reddit?type=team

3: mailto:whitehats@reddit.com

And finally, a big shout out to the most prolific and rewarded researchers that joined our journey thus far: @renekroka[4], @naategh[5], @jensec[6], @pandaonair[7], and @parasimpaticki[8]. We’re looking forward to meeting more of y’all and to helping keep Reddit a more safe and secure platform for everyone.

4: https://hackerone.com/renekroka?type=user

5: https://hackerone.com/naategh?type=user

6: https://hackerone.com/jensec?type=user

7: https://hackerone.com/pandaonair?type=user

8: https://hackerone.com/parasimpaticki?type=user

Comments

Comment by WayeeCool at 14/04/2021 at 16:33 UTC

109 upvotes, 3 direct replies

This is an important step. Good job for taking security and user information seriously. Please don't become Facebook/Instagram.

Comment by haykam821 at 14/04/2021 at 17:08 UTC

74 upvotes, 1 direct replies

We’re still keeping the Whitehat award for that Reddit bling as well.

Phew.

Comment by Ludovicoo_ at 14/04/2021 at 17:58 UTC

28 upvotes, 1 direct replies

Can you guys yell me something bout the white hat and how to get it?

Comment by darknep at 14/04/2021 at 18:42 UTC

11 upvotes, 1 direct replies

Thank you! I look forward to trying my hardest for that whitehat award ^^'

Comment by orvn at 14/04/2021 at 22:15 UTC

8 upvotes, 2 direct replies

Does the bug bounty program include features that don't work correctly, but aren't directly associated with a security concern?

Comment by BamboozleDoggo4 at 14/04/2021 at 15:16 UTC

22 upvotes, 0 direct replies

Comment by Pepiggy at 14/04/2021 at 19:33 UTC

3 upvotes, 1 direct replies

Hah, wish I had the computery knowledge required. That trophy does look nice. Thanks for the update

Comment by eganist at 15/04/2021 at 00:47 UTC

3 upvotes, 0 direct replies

Nice! Out of curiosity, anything for people who have found significant defects prior to this point? I recognize that Reddit has no obligation, but it'd be a good token of appreciation, u/securimancer

Comment by [deleted] at 14/04/2021 at 20:53 UTC

5 upvotes, 2 direct replies

Very interesting! I wish I could help out but I mainly work with C++/C# rather than HTML so I doubt I am of any use. Regardless hopefully user security is improved from this, hopefully this turns out to be a good move as I believe it will.

Comment by TheGamingBlu at 15/04/2021 at 09:37 UTC

4 upvotes, 3 direct replies

We need more protection for reddit accounts to prevent them from being hacked like 2 step authentication

Comment by DrinkMoreCodeMore at 15/04/2021 at 15:49 UTC

2 upvotes, 0 direct replies

Will pin this to the top of /r/hacking for you for a few days

Comment by ZeroBuffalo at 15/04/2021 at 16:25 UTC

2 upvotes, 0 direct replies

Hype

Comment by tradecrafter001 at 16/04/2021 at 03:35 UTC

2 upvotes, 0 direct replies

Cool to hear let’s try hard

Comment by Rene_Kroka at 16/04/2021 at 09:26 UTC

2 upvotes, 0 direct replies

*<3**

Comment by justcool393 at 16/04/2021 at 10:32 UTC*

2 upvotes, 0 direct replies

Hey there

I had reported a vulnerability regarding disclosure of votes to security@reddit.com a while back but had never received any response

Should I resend my email to the new one or something?

Edit: I had reported a vulnerability a few months ago (you can see it in my trophy case) that allowed anyone to force add moderators. Given the scope... it kinda feels a bit sucky to know that I could've been compensated for that but didn't...

Is it possible to still get compensated?

Comment by pm_me_your_findings at 16/04/2021 at 13:10 UTC

2 upvotes, 0 direct replies

Oh yeah I have white hat

Comment by Le-Chiffre999 at 16/04/2021 at 23:21 UTC

2 upvotes, 0 direct replies

I hope that your gains and success will be permanent. Let’s try hard.

Comment by Blank-Cheque at 14/04/2021 at 15:19 UTC

-1 upvotes, 1 direct replies

On your list of example vulnerabilities, this one doesn't make sense:

Removing a moderator from a subreddit where you are not a moderator with “access” permissions.

You need full perms (+all) to remove a mod, not just access (or "Manage Users" I guess it's called now). I just checked to make sure it's still like that.

Comment by WarpvsWeft at 14/04/2021 at 19:17 UTC

0 upvotes, 1 direct replies

Cool! Is the admin team doing next to nothing about repeatedly-reported violent threats directed toward mods considered a "bug?"

Comment by DurianExecutioner at 14/04/2021 at 22:10 UTC

-1 upvotes, 0 direct replies

TLDR but you guys intentionally make the mobile browser site crap (like, actually broken and not just annoying) in order to corral people towards your shitty app. You suck.