Reddit launches public bug bounty program
This week, social news platform Reddit announced the launch of a public bug bounty program on the HackerOne platform.
The site already had its own vulnerability bounty program over the past three years, but it was only available to selected researchers. During this time, Reddit received 300 vulnerability reports, and payments to specialists exceeded $140,000.Now bug bounty will be available to everyone, and the company emphasizes that the purpose of the program is to protect user accounts, their identities and personal data, including chats, messages, email addresses, voting history and data on subreddit subscriptions. To do this, the company decided to expand the scope of the program: now it includes all subdomains reddit.com and snooguts.net.
Vulnerability reports should contain enough information for the Reddit team to reproduce the bug on their own.
“Researchers can qualify for rewards of up to $10,000 if the vulnerability is deemed critical. Professionals can also receive up to $5,000 for high severity errors, $500 for medium severity errors, and $100 for low severity flaws”, — Reddit representatives indicate.
Vulnerabilities are considered critical if they lead to massive compromise of user data, including password hashes, email addresses, private chats and messages, or if they allow an attacker to bypass authentication and gain access to accounts.
Researchers are prohibited from accessing other users’ accounts or data, publicly disclosing details of identified vulnerabilities without the explicit consent of Reddit, and before Reddit staff fix the issues.
In addition, researchers are prohibited from crawling the internal Reddit network after gaining remote access to the server, and from abusing discovered vulnerabilities to download malware, further weaken the security of affected systems, or impact Reddit’s performance and availability.
Let me remind you that we also talked about the fact that Mozilla extends bug bounty program and increases rewards, as well as Google expands bug bounty program and will pay for bugs in applications with 100 million installations.