
Responsible Disclosure

Effective April 14, 2021.

Program Terms

Reddit’s responsible disclosure and bug bounty program is focused on protecting our users’ private data, accounts, and identities. The vast majority of data posted to Reddit every day is intended to be public, however Reddit does host private data including messages, chats, voting records for accounts without the public voting option enabled, subreddit subscriptions (when tied to a user), and (optional) email addresses.

In addition to user posted content, it is important that Reddit maintain the confidentiality of user identities and the integrity of discussions in Reddit’s communities and private spaces. It is with these things in mind that Reddit evaluates the impact and severity of each reported vulnerability.

The scope for Reddit’s program includes most of our assets—if it’s not explicitly out-of-scope, and has meaningful security impact, it’s fair game. This includes all subdomains of and

Good Faith

To be eligible to participate in Reddit’s bug bounty program we ask that all researchers act in good faith, which means:

  • Don’t try to access other users’ accounts or data — respect their privacy.
  • Don’t publicly disclose a vulnerability without Reddit’s explicit consent.
  • Don’t discuss vulnerability details with anyone other than Reddit staff before we can patch the vulnerability.
  • Don’t leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don’t identify the possibility yourself.
  • Don’t upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.
  • Don’t leave systems in a more vulnerable state.
  • Don’t take any action that could impact the performance or availability of Reddit.
  • Don’t make copies of Reddit's private production data as “proof”. The report should suffice as proof of impact.
  • Be respectful of our team.

Failure to follow these rules will result in your reports being ineligible for bounty awards.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Eligibility to Participate
  • Must abide by Reddit’s User Agreement if testing with a Reddit account.
  • Must utilize HackerOne platform for all submissions to receive any payout, thereby abiding by HackerOne’s terms of service and privacy policy.
  • Reddit employees, contractors who are currently working with Reddit, or have worked with Reddit in the previous 6 months, or immediate family members of either are not eligible for bug bounties.
Report Quality

Reports are expected to be thorough and contain enough information that Reddit’s security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots are encouraged while videos are discouraged, unless necessary. Submissions should not consist solely of a video.

Reports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.

Severity Determination

Reddit uses a simple scale to determine severity. Reddit will categorize valid submissions in one of the following categories at its sole discretion. Vulnerabilities are primarily rated by their impact to the confidentiality of private user data and safety using the Reddit platform.


Critical vulnerabilities are those that result in the bulk compromise of user data such as password hashes, private messages, private chats, and email addresses or the ability to bypass authentication and gain access to targeted accounts. Examples of critical vulnerabilities include:

  • Remote command execution
  • SQL Injection
  • Authentication bypass resulting in access to a user's account and private data.
  • Access to production secrets such as access tokens that can be used to copy sensitive data.
  • Elevating Reddit application privileges to admin.

High-rated vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private groups or subreddits. Examples include:

  • Cross-site scripting (XSS)
  • Bypassing authorization to read or post to private subreddits.
  • CSRF or similar attacks provided they result in access to another user's account or data.
  • Bypassing two-factor authentication (2FA) in the Reddit application.
  • The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions.
  • Performing limited admin actions without authorization.
  • Ability to identify real users when switching into and using Anonymous Browsing Mode (ABM) in native apps

Medium-risk vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access less-sensitive information. Examples include:

  • CSRF or similar attacks to make a user take an action they didn't intend, such as subscribing or unsubscribing to subreddits or voting on posts/comments.
  • Disclosing the titles of posts in private subreddits.
  • Removing a moderator from a subreddit where you are not a moderator with “access” permissions.
  • Unbanning a user that has been banned from a subreddit without appropriate permissions.
  • Open redirects

Low-risk vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn't, but with no serious security implications. Examples include:

  • Bypassing domain restrictions on posted content.
  • Forcing users to use or not use the redesign or other early-access features.
  • Disclosure of voting records for accounts without the public voting option enabled.
  • Self-XSS without evidence it can be chained to be non-self XSS
  • Tab-napping
  • Password brute-forcing that circumvents rate limiting
Bounty Amounts

The upper limits on bounty for each bug class:


These are guidelines and may be adjusted by Reddit at our own discretion. Note that mitigating factors such as rate limiting (if applicable), the limitations on what may be accessed and the sensitivity of the exposed data will be taken into account when determining bounties. Bounty payments will be made through the HackerOne platform.


Reddit agnostic:

  • Attacks requiring physical access to, root privileges on, or MITM of a user's device.
  • Account Oracles - the ability to determine if an email address or username is in use.
  • Attacks targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.
  • Insecure cookie settings / flags on non-login cookies.
  • Missing HTTP security headers (CSP, HSTS, etc.).
  • Weak SSL/TLS/SSH algorithms or protocols.
  • Lack of certificate pinning (improper certificate validation still eligible)
  • CSRF with no security impact (unauthenticated/logout/login CSRF).
  • Best practices violations (password complexity, expiration, re-use, etc.).
  • Clickjacking on pages with no sensitive actions.
  • Component version disclosure without accompanying proof of vulnerability.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it's fair game.
  • Disclosure of internal tracebacks (unless sensitive environment data is also leaked).
  • Comma Separated Values (CSV) injection.
  • Reflected file download.
  • Content spoofing and text injection issues without being able to modify HTML/CSS.
  • Re-usage of passwords from public dumps.
  • Homograph links.
  • Mobile app crashes.
  • Tabnabbing / window.origin not being cleared on new tabs or windows
  • Deep links for Android missing autoVerify=true due to current Google limitation with AMP (may change in future)

Reddit specific:

  • Mobile app hardcoded secrets that are Sentry, Twitter, Crashlytics, Firebase, or Branch.
  • Commenting on removed / deleted posts (explicitly allowed unless a post is locked)
  • https://* not being invalidated on logout (they are invalidated on password change, 2FA being enabled, etc.).
  • Redress of subreddits with subreddit styles.
  • Bypassing rate-limits or the non-existence of rate-limits that have no platform impact.
  • Exposure of internal domains on public domains

Denial of service attacks:

  • Just don’t, we’re busy enough keeping the site up

In-scope domains (inclusive of all subdomains):

  • (limited)
  • 1st party Android and iOS apps for Reddit and Dubsmash

Out-of-scope domains

  • Any SaaS or other service provider not explicitly called out. If you think it’s something owned by Reddit, you can send it along - we’ll decide if it’s out-of-scope.

Any information you receive or collect about Reddit, Reddit’s systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.

Rights and Licenses

We may modify the Program Terms or cancel the Bug Bounty Program at any time.

By making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.

By making a Submission, you give us the right to use your Submission for any purpose.


Reports must be submitted via HackerOne either via the submission portal or via