[{"id":3759836,"new_policy":"# Reddit Policy\n\n## Program Terms\n\nReddit's responsible disclosure and bug bounty program is focused on protecting our users' private data, accounts, and identities. The vast majority of data posted to Reddit every day is intended to be public, however Reddit does host private data including messages, chats, voting records for accounts without the public voting option enabled, subreddit subscriptions (when tied to a user), and (optional) email addresses.\n\nIn addition to user posted content, it is important that Reddit maintain the confidentiality of user identities and the integrity of discussions in Reddit's communities and private spaces. It is with these things in mind that Reddit evaluates the impact and severity of each reported vulnerability.\n\nThe scope for Reddit's program includes most of our assets---if it's not explicitly out-of-scope, and has meaningful security impact, it's fair game. This includes all subdomains of reddit.com and snooguts.net.\n\n## Good Faith\n\nTo be eligible to participate in Reddit's bug bounty program we ask that all hackers act in good faith, which means:\n\n- Don't try to access other users' accounts or data --- respect their privacy.\n- Don't publicly disclose a vulnerability without Reddit's explicit consent.\n- Don't discuss vulnerability details with anyone other than Reddit staff before we can patch the vulnerability.\n- Don't leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don't identify the possibility yourself.\n- Don't upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.\n- Don't leave systems in a more vulnerable state.\n- Don't take any action that could impact the performance or availability of Reddit.\n- Don't make copies of Reddit's private production data as \"proof\". The report should suffice as proof of impact.\n- Be respectful of our team.\n\nFailure to follow these rules will result in your reports being ineligible for bounty awards.\n\n## Eligibility to Participate\n\n- Must abide by Reddit's User Agreement if testing with a Reddit account.\n- Must utilize HackerOne platform for all submissions to receive any payout, thereby abiding by HackerOne's terms of service and privacy policy.\n- Reddit employees, contractors who are currently working with Reddit, or have worked with Reddit in the previous 6 months, or immediate family members of either are not eligible for bug bounties.\n\n## Report Quality\n\nReports are expected to be thorough and contain enough information that Reddit's security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots and Test account IDs are encouraged while videos are discouraged, unless necessary.\n\nReports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.\n\nTesting Guidelines\n\nWe encourage the use of [HackerOne email](https://docs.hackerone.com/en/articles/8404308-hacker-email-alias) aliases `\u003cusername\u003e@wearehackerone.com` when creating Reddit accounts for testing purposes. This will help differentiate your testing activities from regular traffic.\n\n## Severity Determination\n\nReddit determines the severity of issues based on the asset's criticality, the impact of the issue, and data sensitivity. Reddit will categorize valid submissions in one of the following categories at its sole discretion. Vulnerabilities are primarily rated by their impact on the confidentiality of private data and safety using the Reddit platform.\n\n### Critical\n\nCritical severity vulnerabilities are those that result in the bulk compromise of user data such as password hashes, private messages, private chats, and email addresses, the ability to bypass authentication and gain access to targeted accounts, or compromise of Reddit infrastructure.\n\nExamples of critical severity vulnerabilities include:\n\n- Remote Command Execution (RCE)\n- SQL Injection (SQLi)\n- Authentication bypass resulting in access to a user's account and private data.\n- Access to production secrets such as access tokens that can be used to copy sensitive data.\n- Unauthorized elevation of a regular Reddit account to admin privileges.\n- Authentication bypass that exposes payment information and payment limits of Reddit Ads clients.\n- Reddit's private financial information, like future quarterly reports and company deals.\n- Authentication bypass resulting in unlimited access to Reddit Awards.\n\n### High\n\nHigh severity vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private groups or subreddits.\n\nExamples of high severity vulnerabilities include:\n\n- Cross-site Scripting (XSS), that bypasses our Content Security Policy (CSP), on reddit.com and ads.reddit.com.\n- Bypassing authorization to read or post to private subreddits.\n- Cross-site Request Forgery (CSRF) or similar attacks provided they result in access to another user's account or data.\n- Bypassing two-factor authentication (2FA) in the Reddit application.\n- The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions.\n- Performing limited admin actions without authorization.\n- Ability to identify real users who are using Anonymous Browsing Mode (ABM) in native apps.\n\n### Medium\n\nMedium severity vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access to less sensitive information.\n\nExamples of medium severity vulnerabilities include:\n\n- Cross-site Scripting (XSS) without a CSP bypass.\n- Cross-site Request Forgery (CSRF) or similar attacks to make a user take an authenticated action they didn\\'t intend, such as subscribing or unsubscribing to subreddits or voting on posts/comments.\n- Disclosing the titles of posts or the usernames of all members in private subreddits.\n- Removing a moderator from a subreddit where you are not a moderator with \"access\" permissions.\n- Unbanning a user that has been banned from a subreddit without appropriate permissions.\n- Cache Poisoning.\n- Server-side Request Forgery (SSRF), with sensitive data exposure.\n- Open Redirects on in-scope domains.\n- LLM prompt injection with sensitive data exposure.\n\n### Low\n\nLow severity vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn\\'t, but with limited security implications.\n\nExamples of low severity vulnerabilities include:\n\n- Self-XSS\n- Bypassing domain restrictions on posted content.\n- Forcing users to use, or not use, the redesign or other early-access features.\n- Disclosure of voting records for accounts without the public voting option enabled.\n- Password brute-forcing that circumvents rate limiting.\n- Functionality or features that are accessible through the API but not available via the UI, which have security implications.\n- Functionality that is either undocumented or functions differently from its documentation, with a security impact.\n- Server-side Request Forgery (SSRF), without sensitive data exposure.\n- Open redirects in non-core assets.\n- LLM prompt injection, without sensitive data exposure.\n\n## Rewards by Severity\n\nWe will determine rewards for reports based on the **criticality of the asset, the impact of the issue, and the sensitivity of any leaked data**. Each report will be evaluated individually by our security team. We may offer higher rewards for unique, hard-to-discover bugs. We may also pay less for bugs with complex prerequisites that lower risk of exploitation.\n\n## Out-of-Scope\n\nWe generally do not accept logic bugs unless they result in the disclosure of security information, financial data, or cause disruption to our services.\n\n### Reddit agnostic\n\n- Attacks requiring physical access to, root privileges on, or MITM of a user's device.\n- Account Oracles - the ability to determine if an email address or username is in use.\n- Attacks targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.\n- Insecure cookie settings / flags on non-login cookies.\n- Missing HTTP security headers (CSP, HSTS, etc.).\n- Weak SSL/TLS/SSH algorithms or protocols.\n- Lack of certificate pinning (improper certificate validation still eligible)\n- CSRF with no security impact (unauthenticated/logout/login CSRF).\n- Best practices violations (password complexity, expiration, re-use, etc.).\n- Clickjacking on pages with no sensitive actions.\n- Component version disclosure without accompanying proof of vulnerability.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it's fair game.\n- Disclosure of internal tracebacks (unless sensitive environment data is also leaked).\n- Comma Separated Values (CSV) injection.\n- Reflected file download.\n- Content spoofing and text injection issues without being able to modify HTML/CSS.\n- Re-usage of passwords from public dumps.\n- Homograph links.\n- Mobile app crashes.\n- Tabnabbing / window.origin not being cleared on new tabs or windows.\n- Deep links for Android missing autoVerify=true due to current Google limitation with AMP (may change in future).\n- XSS from copying/pasting in code into DevConsole or the like.\n- LLM Model Hallucinations.\n- Security issues with SaaS applications that require fixes from the SaaS provider, rather than Reddit configurations, should be reported directly to the respective SaaS provider.\n\n### Reddit specific\n\n- Web cache poisoning on any of our domains that host Zendesk or HubSpot content (redditinc.com, reddithelp.com, etc)\n- Mobile app hardcoded secrets that are Sentry, Twitter, Crashlytics, Firebase, or Branch. On Dubsmash, the Kinesis AWS key is out of scope as it's non-vulnerable.\n- Functionality available through the API but not present in the UI, without any impact on security.\n- Commenting on removed / deleted posts (explicitly allowed unless a post is locked).\n- Enabling predictions/tournaments on subreddits for communities which are not qualified to the above 10000 subscribers.\n- https://*.reddit.com/etc/passwd.\n- Sessions not being invalidated on logout (they are invalidated on password change, 2FA being enabled, etc.).\n- Bypassing rate-limits or the non-existence of rate-limits that have no platform impact. Example: \u003chttps://vpn.snooguts.net/login\u003e.\n- Exposure of internal domains on public domains.\n- Enabling a setting early but not being able to use the early feature in practice.\n- Reddit.com password length issue (Reddit uses bcrypt which is capped at 72 characters) [https://hackerone.com/reports/1168804](https://hackerone.com/reports/1168804).\n\n## Denial of service attacks\n\nReddit does not allow denial of service attacks, and they are considered out of scope for our bug bounty program. This includes any attack that is designed to disrupt or disable the normal operation of our website or services.\n\n## In-scope domains (inclusive of all subdomains)\n\nCheck the Scope tab.\n\n## Out-of-scope domains\n\n- spell.ml.\n- [www.meaningcloud.com](http://www.meaningcloud.com).\n- Any SaaS or other service provider domains that are not mentioned in the Scope tab.\n\nIf you think it's something owned by Reddit, you can send it along - we'll decide if it's out-of-scope.\n\n## Confidentiality\n\nAny information you receive or collect about Reddit, Reddit's systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (\"Confidential Information\") must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-07-23T14:27:26.272Z"},{"id":3732573,"new_policy":"# Reddit Policy\n\n## Program Terms\n\nReddit's responsible disclosure and bug bounty program is focused on protecting our users' private data, accounts, and identities. The vast majority of data posted to Reddit every day is intended to be public, however Reddit does host private data including messages, chats, voting records for accounts without the public voting option enabled, subreddit subscriptions (when tied to a user), and (optional) email addresses.\n\nIn addition to user posted content, it is important that Reddit maintain the confidentiality of user identities and the integrity of discussions in Reddit's communities and private spaces. It is with these things in mind that Reddit evaluates the impact and severity of each reported vulnerability.\n\nThe scope for Reddit's program includes most of our assets---if it's not explicitly out-of-scope, and has meaningful security impact, it's fair game. This includes all subdomains of reddit.com and snooguts.net.\n\n## Good Faith\n\nTo be eligible to participate in Reddit's bug bounty program we ask that all hackers act in good faith, which means:\n\n- Don't try to access other users' accounts or data --- respect their privacy.\n- Don't publicly disclose a vulnerability without Reddit's explicit consent.\n- Don't discuss vulnerability details with anyone other than Reddit staff before we can patch the vulnerability.\n- Don't leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don't identify the possibility yourself.\n- Don't upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.\n- Don't leave systems in a more vulnerable state.\n- Don't take any action that could impact the performance or availability of Reddit.\n- Don't make copies of Reddit's private production data as \"proof\". The report should suffice as proof of impact.\n- Be respectful of our team.\n\nFailure to follow these rules will result in your reports being ineligible for bounty awards.\n\n## Eligibility to Participate\n\n- Must abide by Reddit's User Agreement if testing with a Reddit account.\n- Must utilize HackerOne platform for all submissions to receive any payout, thereby abiding by HackerOne's terms of service and privacy policy.\n- Reddit employees, contractors who are currently working with Reddit, or have worked with Reddit in the previous 6 months, or immediate family members of either are not eligible for bug bounties.\n\n## Report Quality\n\nReports are expected to be thorough and contain enough information that Reddit's security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots and Test account IDs are encouraged while videos are discouraged, unless necessary.\n\nReports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.\n\nTesting Guidelines\n\nWe encourage the use of [HackerOne email](https://docs.hackerone.com/en/articles/8404308-hacker-email-alias) aliases `\u003cusername\u003e@wearehackerone.com` when creating Reddit accounts for testing purposes. This will help differentiate your testing activities from regular traffic.\n\n## Severity Determination\n\nReddit determines the severity of issues based on the asset's criticality, the impact of the issue, and data sensitivity. Reddit will categorize valid submissions in one of the following categories at its sole discretion. Vulnerabilities are primarily rated by their impact on the confidentiality of private data and safety using the Reddit platform.\n\n### Critical\n\nCritical severity vulnerabilities are those that result in the bulk compromise of user data such as password hashes, private messages, private chats, and email addresses, the ability to bypass authentication and gain access to targeted accounts, or compromise of Reddit infrastructure.\n\nExamples of critical severity vulnerabilities include:\n\n- Remote Command Execution (RCE)\n- SQL Injection (SQLi)\n- Authentication bypass resulting in access to a user's account and private data.\n- Access to production secrets such as access tokens that can be used to copy sensitive data.\n- Unauthorized elevation of a regular Reddit account to admin privileges.\n- Authentication bypass that exposes payment information and payment limits of Reddit Ads clients.\n- Reddit's private financial information, like future quarterly reports and company deals.\n- Authentication bypass resulting in unlimited access to Reddit Awards.\n\n### High\n\nHigh severity vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private groups or subreddits.\n\nExamples of high severity vulnerabilities include:\n\n- Cross-site Scripting (XSS), that bypasses our Content Security Policy (CSP), on reddit.com and ads.reddit.com.\n- Bypassing authorization to read or post to private subreddits.\n- Cross-site Request Forgery (CSRF) or similar attacks provided they result in access to another user's account or data.\n- Bypassing two-factor authentication (2FA) in the Reddit application.\n- The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions.\n- Performing limited admin actions without authorization.\n- Ability to identify real users who are using Anonymous Browsing Mode (ABM) in native apps.\n\n### Medium\n\nMedium severity vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access to less sensitive information.\n\nExamples of medium severity vulnerabilities include:\n\n- Cross-site Scripting (XSS) without a CSP bypass.\n- Cross-site Request Forgery (CSRF) or similar attacks to make a user take an authenticated action they didn\\'t intend, such as subscribing or unsubscribing to subreddits or voting on posts/comments.\n- Disclosing the titles of posts or the usernames of all members in private subreddits.\n- Removing a moderator from a subreddit where you are not a moderator with \"access\" permissions.\n- Unbanning a user that has been banned from a subreddit without appropriate permissions.\n- Cache Poisoning.\n- Server-side Request Forgery (SSRF), with sensitive data exposure.\n- Open Redirects on in-scope domains.\n- LLM prompt injection with sensitive data exposure.\n\n### Low\n\nLow severity vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn\\'t, but with limited security implications.\n\nExamples of low severity vulnerabilities include:\n\n- Self-XSS\n- Bypassing domain restrictions on posted content.\n- Forcing users to use, or not use, the redesign or other early-access features.\n- Disclosure of voting records for accounts without the public voting option enabled.\n- Password brute-forcing that circumvents rate limiting.\n- Functionality or features that are accessible through the API but not available via the UI, which have security implications.\n- Functionality that is either undocumented or functions differently from its documentation, with a security impact.\n- Server-side Request Forgery (SSRF), without sensitive data exposure.\n- Open redirects in non-core assets.\n- LLM prompt injection, without sensitive data exposure.\n\n## Rewards by Severity\n\nWe will determine rewards for reports based on the **criticality of the asset, the impact of the issue, and the sensitivity of any leaked data**. Each report will be evaluated individually by our security team. We may offer higher rewards for unique, hard-to-discover bugs. We may also pay less for bugs with complex prerequisites that lower risk of exploitation.\n\n## Out-of-Scope\n\nWe generally do not accept logic bugs unless they result in the disclosure of security information, financial data, or cause disruption to our services.\n\n### Reddit agnostic\n\n- Attacks requiring physical access to, root privileges on, or MITM of a user's device.\n- Account Oracles - the ability to determine if an email address or username is in use.\n- Attacks targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.\n- Insecure cookie settings / flags on non-login cookies.\n- Missing HTTP security headers (CSP, HSTS, etc.).\n- Weak SSL/TLS/SSH algorithms or protocols.\n- Lack of certificate pinning (improper certificate validation still eligible)\n- CSRF with no security impact (unauthenticated/logout/login CSRF).\n- Best practices violations (password complexity, expiration, re-use, etc.).\n- Clickjacking on pages with no sensitive actions.\n- Component version disclosure without accompanying proof of vulnerability.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it's fair game.\n- Disclosure of internal tracebacks (unless sensitive environment data is also leaked).\n- Comma Separated Values (CSV) injection.\n- Reflected file download.\n- Content spoofing and text injection issues without being able to modify HTML/CSS.\n- Re-usage of passwords from public dumps.\n- Homograph links.\n- Mobile app crashes.\n- Tabnabbing / window.origin not being cleared on new tabs or windows.\n- Deep links for Android missing autoVerify=true due to current Google limitation with AMP (may change in future).\n- XSS from copying/pasting in code into DevConsole or the like.\n- LLM Model Hallucinations.\n- Security issues with SaaS applications that require fixes from the SaaS provider, rather than Reddit configurations, should be reported directly to the respective SaaS provider.\n\n### Reddit specific\n\n- Mobile app hardcoded secrets that are Sentry, Twitter, Crashlytics, Firebase, or Branch. On Dubsmash, the Kinesis AWS key is out of scope as it's non-vulnerable.\n- Functionality available through the API but not present in the UI, without any impact on security.\n- Commenting on removed / deleted posts (explicitly allowed unless a post is locked).\n- Enabling predictions/tournaments on subreddits for communities which are not qualified to the above 10000 subscribers.\n- https://*.reddit.com/etc/passwd.\n- Sessions not being invalidated on logout (they are invalidated on password change, 2FA being enabled, etc.).\n- Bypassing rate-limits or the non-existence of rate-limits that have no platform impact. Example: \u003chttps://vpn.snooguts.net/login\u003e.\n- Exposure of internal domains on public domains.\n- Enabling a setting early but not being able to use the early feature in practice.\n- Reddit.com password length issue (Reddit uses bcrypt which is capped at 72 characters) [https://hackerone.com/reports/1168804](https://hackerone.com/reports/1168804).\n\n## Denial of service attacks\n\nReddit does not allow denial of service attacks, and they are considered out of scope for our bug bounty program. This includes any attack that is designed to disrupt or disable the normal operation of our website or services.\n\n## In-scope domains (inclusive of all subdomains)\n\nCheck the Scope tab.\n\n## Out-of-scope domains\n\n- spell.ml.\n- [www.meaningcloud.com](http://www.meaningcloud.com).\n- Any SaaS or other service provider domains that are not mentioned in the Scope tab.\n\nIf you think it's something owned by Reddit, you can send it along - we'll decide if it's out-of-scope.\n\n## Confidentiality\n\nAny information you receive or collect about Reddit, Reddit's systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (\"Confidential Information\") must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-16T21:54:05.130Z"},{"id":3731043,"new_policy":"# Reddit Policy\n\n## Program Terms\n\nReddit's responsible disclosure and bug bounty program is focused on protecting our users' private data, accounts, and identities. The vast majority of data posted to Reddit every day is intended to be public, however Reddit does host private data including messages, chats, voting records for accounts without the public voting option enabled, subreddit subscriptions (when tied to a user), and (optional) email addresses.\n\nIn addition to user posted content, it is important that Reddit maintain the confidentiality of user identities and the integrity of discussions in Reddit's communities and private spaces. It is with these things in mind that Reddit evaluates the impact and severity of each reported vulnerability.\n\nThe scope for Reddit's program includes most of our assets---if it's not explicitly out-of-scope, and has meaningful security impact, it's fair game. This includes all subdomains of reddit.com and snooguts.net.\n\n## Good Faith\n\nTo be eligible to participate in Reddit's bug bounty program we ask that all hackers act in good faith, which means:\n\n- Don't try to access other users' accounts or data --- respect their privacy.\n- Don't publicly disclose a vulnerability without Reddit's explicit consent.\n- Don't discuss vulnerability details with anyone other than Reddit staff before we can patch the vulnerability.\n- Don't leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don't identify the possibility yourself.\n- Don't upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.\n- Don't leave systems in a more vulnerable state.\n- Don't take any action that could impact the performance or availability of Reddit.\n- Don't make copies of Reddit's private production data as \"proof\". The report should suffice as proof of impact.\n- Be respectful of our team.\n\nFailure to follow these rules will result in your reports being ineligible for bounty awards.\n\n## Eligibility to Participate\n\n- Must abide by Reddit's User Agreement if testing with a Reddit account.\n- Must utilize HackerOne platform for all submissions to receive any payout, thereby abiding by HackerOne's terms of service and privacy policy.\n- Reddit employees, contractors who are currently working with Reddit, or have worked with Reddit in the previous 6 months, or immediate family members of either are not eligible for bug bounties.\n\n## Report Quality\n\nReports are expected to be thorough and contain enough information that Reddit's security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots and Test account IDs are encouraged while videos are discouraged, unless necessary.\n\nReports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.\n\nTesting Guidelines\n\nWe encourage the use of [HackerOne email](https://docs.hackerone.com/en/articles/8404308-hacker-email-alias) aliases `\u003cusername\u003e@wearehackerone.com` when creating Reddit accounts for testing purposes. This will help differentiate your testing activities from regular traffic.\n\n## Severity Determination\n\nReddit determines the severity of issues based on the asset's criticality, the impact of the issue, and data sensitivity. Reddit will categorize valid submissions in one of the following categories at its sole discretion. Vulnerabilities are primarily rated by their impact on the confidentiality of private data and safety using the Reddit platform.\n\n### Critical\n\nCritical severity vulnerabilities are those that result in the bulk compromise of user data such as password hashes, private messages, private chats, and email addresses, the ability to bypass authentication and gain access to targeted accounts, or compromise of Reddit infrastructure.\n\nExamples of critical severity vulnerabilities include:\n\n- Remote Command Execution (RCE)\n- SQL Injection (SQLi)\n- Authentication bypass resulting in access to a user's account and private data.\n- Access to production secrets such as access tokens that can be used to copy sensitive data.\n- Unauthorized elevation of a regular Reddit account to admin privileges.\n- Authentication bypass that exposes payment information and payment limits of Reddit Ads clients.\n- Reddit's private financial information, like future quarterly reports and company deals.\n- Authentication bypass resulting in unlimited access to Reddit Awards.\n\n### High\n\nHigh severity vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private groups or subreddits.\n\nExamples of high severity vulnerabilities include:\n\n- Cross-site Scripting (XSS), that bypasses our Content Security Policy (CSP), on reddit.com and ads.reddit.com.\n- Bypassing authorization to read or post to private subreddits.\n- Cross-site Request Forgery (CSRF) or similar attacks provided they result in access to another user's account or data.\n- Bypassing two-factor authentication (2FA) in the Reddit application.\n- The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions.\n- Performing limited admin actions without authorization.\n- Ability to identify real users who are using Anonymous Browsing Mode (ABM) in native apps.\n\n### Medium\n\nMedium severity vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access to less sensitive information.\n\nExamples of medium severity vulnerabilities include:\n\n- Cross-site Scripting (XSS) without a CSP bypass.\n- Cross-site Request Forgery (CSRF) or similar attacks to make a user take an authenticated action they didn\\'t intend, such as subscribing or unsubscribing to subreddits or voting on posts/comments.\n- Disclosing the titles of posts or the usernames of all members in private subreddits.\n- Removing a moderator from a subreddit where you are not a moderator with \"access\" permissions.\n- Unbanning a user that has been banned from a subreddit without appropriate permissions.\n- Cache Poisoning.\n- Server-side Request Forgery (SSRF), with sensitive data exposure.\n- Open Redirects on in-scope domains.\n- LLM prompt injection with sensitive data exposure.\n\n### Low\n\nLow severity vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn\\'t, but with limited security implications.\n\nExamples of low severity vulnerabilities include:\n\n- Self-XSS\n- Bypassing domain restrictions on posted content.\n- Forcing users to use, or not use, the redesign or other early-access features.\n- Disclosure of voting records for accounts without the public voting option enabled.\n- Password brute-forcing that circumvents rate limiting.\n- Functionality or features that are accessible through the API but not available via the UI, which have security implications.\n- Functionality that is either undocumented or functions differently from its documentation, with a security impact.\n- Server-side Request Forgery (SSRF), without sensitive data exposure.\n- Open redirects in non-core assets.\n- LLM prompt injection, without sensitive data exposure.\n\n## Rewards by Severity\n\nWe will determine rewards for reports based on the **criticality of the asset, the impact of the issue, and the sensitivity of any leaked data**. Each report will be evaluated individually by our security team. We may offer higher rewards for unique, hard-to-discover bugs. We may also pay less for bugs with complex prerequisites that lower risk of exploitation.\n\n## Out-of-Scope\n\nWe generally do not accept logic bugs unless they result in the disclosure of security information, financial data, or cause disruption to our services.\n\n### Reddit agnostic\n\n- Attacks requiring physical access to, root privileges on, or MITM of a user's device.\n- Account Oracles - the ability to determine if an email address or username is in use.\n- Attacks targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.\n- Insecure cookie settings / flags on non-login cookies.\n- Missing HTTP security headers (CSP, HSTS, etc.).\n- Weak SSL/TLS/SSH algorithms or protocols.\n- Lack of certificate pinning (improper certificate validation still eligible)\n- CSRF with no security impact (unauthenticated/logout/login CSRF).\n- Best practices violations (password complexity, expiration, re-use, etc.).\n- Clickjacking on pages with no sensitive actions.\n- Component version disclosure without accompanying proof of vulnerability.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it's fair game.\n- Disclosure of internal tracebacks (unless sensitive environment data is also leaked).\n- Comma Separated Values (CSV) injection.\n- Reflected file download.\n- Content spoofing and text injection issues without being able to modify HTML/CSS.\n- Re-usage of passwords from public dumps.\n- Homograph links.\n- Mobile app crashes.\n- Tabnabbing / window.origin not being cleared on new tabs or windows.\n- Deep links for Android missing autoVerify=true due to current Google limitation with AMP (may change in future).\n- XSS from copying/pasting in code into DevConsole or the like.\n- LLM Model Hallucinations.\n- Security issues with SaaS applications that require fixes from the SaaS provider, rather than Reddit configurations, should be reported directly to the respective SaaS provider.\n\n### Reddit specific\n\n- Mobile app hardcoded secrets that are Sentry, Twitter, Crashlytics, Firebase, or Branch. On Dubsmash, the Kinesis AWS key is out of scope as it's non-vulnerable.\n- Functionality available through the API but not present in the UI, without any impact on security.\n- Commenting on removed / deleted posts (explicitly allowed unless a post is locked).\n- Enabling predictions/tournaments on subreddits for communities which are not qualified to the above 10000 subscribers.\n- https://*.reddit.com/etc/passwd.\n- Sessions not being invalidated on logout (they are invalidated on password change, 2FA being enabled, etc.).\n- Bypassing rate-limits or the non-existence of rate-limits that have no platform impact. Example: \u003chttps://vpn.snooguts.net/login\u003e.\n- Exposure of internal domains on public domains.\n- Enabling a setting early but not being able to use the early feature in practice.\n- Reddit.com password length issue (Reddit uses bcrypt which is capped at 72 characters) [https://hackerone.com/reports/1168804](https://hackerone.com/reports/1168804).\n\n## Denial of service attacks\n\nReddit does not allow denial of service attacks, and they are considered out of scope for our bug bounty program. This includes any attack that is designed to disrupt or disable the normal operation of our website or services.\n\n## In-scope domains (inclusive of all subdomains)\n\nCheck the Scope tab.\n\n## Out-of-scope domains\n\n- spell.ml.\n- [www.meaningcloud.com](http://www.meaningcloud.com).\n- Any SaaS or other service provider domains that are not mentioned in the Scope tab.\n\nIf you think it's something owned by Reddit, you can send it along - we'll decide if it's out-of-scope.\n\n## Confidentiality\n\nAny information you receive or collect about Reddit, Reddit's systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (\"Confidential Information\") must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-26T14:55:57.302Z"},{"id":3731039,"new_policy":"# Reddit Policy\n\n## Program Terms\n\nReddit's responsible disclosure and bug bounty program is focused on protecting our users' private data, accounts, and identities. The vast majority of data posted to Reddit every day is intended to be public, however Reddit does host private data including messages, chats, voting records for accounts without the public voting option enabled, subreddit subscriptions (when tied to a user), and (optional) email addresses.\n\nIn addition to user posted content, it is important that Reddit maintain the confidentiality of user identities and the integrity of discussions in Reddit's communities and private spaces. It is with these things in mind that Reddit evaluates the impact and severity of each reported vulnerability.\n\nThe scope for Reddit's program includes most of our assets---if it's not explicitly out-of-scope, and has meaningful security impact, it's fair game. This includes all subdomains of reddit.com and snooguts.net.\n\n## Good Faith\n\nTo be eligible to participate in Reddit's bug bounty program we ask that all hackers act in good faith, which means:\n\n- Don't try to access other users' accounts or data --- respect their privacy.\n- Don't publicly disclose a vulnerability without Reddit's explicit consent.\n- Don't discuss vulnerability details with anyone other than Reddit staff before we can patch the vulnerability.\n- Don't leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don't identify the possibility yourself.\n- Don't upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.\n- Don't leave systems in a more vulnerable state.\n- Don't take any action that could impact the performance or availability of Reddit.\n- Don't make copies of Reddit's private production data as \"proof\". The report should suffice as proof of impact.\n- Be respectful of our team.\n\nFailure to follow these rules will result in your reports being ineligible for bounty awards.\n\n## Eligibility to Participate\n\n- Must abide by Reddit's User Agreement if testing with a Reddit account.\n- Must utilize HackerOne platform for all submissions to receive any payout, thereby abiding by HackerOne's terms of service and privacy policy.\n- Reddit employees, contractors who are currently working with Reddit, or have worked with Reddit in the previous 6 months, or immediate family members of either are not eligible for bug bounties.\n\n## Report Quality\n\nReports are expected to be thorough and contain enough information that Reddit's security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots and Test account IDs are encouraged while videos are discouraged, unless necessary.\n\nReports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.\n\nTesting Guidelines\n\nWe encourage the use of [HackerOne email](https://docs.hackerone.com/en/articles/8404308-hacker-email-alias) aliases `\u003cusername\u003e@wearehackerone.com` when creating Reddit accounts for testing purposes. This will help differentiate your testing activities from regular traffic.\n\n## Severity Determination\n\nReddit determines the severity of issues based on the asset's criticality, the impact of the issue, and data sensitivity. Reddit will categorize valid submissions in one of the following categories at its sole discretion. Vulnerabilities are primarily rated by their impact on the confidentiality of private data and safety using the Reddit platform.\n\n### Critical\n\nCritical severity vulnerabilities are those that result in the bulk compromise of user data such as password hashes, private messages, private chats, and email addresses, the ability to bypass authentication and gain access to targeted accounts, or compromise of Reddit infrastructure.\n\nExamples of critical severity vulnerabilities include:\n\n- Remote Command Execution (RCE)\n- SQL Injection (SQLi)\n- Authentication bypass resulting in access to a user's account and private data.\n- Access to production secrets such as access tokens that can be used to copy sensitive data.\n- Unauthorized elevation of a regular Reddit account to admin privileges.\n- Authentication bypass that exposes payment information and payment limits of Reddit Ads clients.\n- Reddit's private financial information, like future quarterly reports and company deals.\n- Authentication bypass resulting in unlimited access to Reddit Awards.\n\n### High\n\nHigh severity vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private groups or subreddits.\n\nExamples of high severity vulnerabilities include:\n\n- Cross-site Scripting (XSS), that bypasses our Content Security Policy (CSP), on reddit.com and ads.reddit.com.\n- Bypassing authorization to read or post to private subreddits.\n- Cross-site Request Forgery (CSRF) or similar attacks provided they result in access to another user's account or data.\n- Bypassing two-factor authentication (2FA) in the Reddit application.\n- The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions.\n- Performing limited admin actions without authorization.\n- Ability to identify real users who are using Anonymous Browsing Mode (ABM) in native apps.\n\n### Medium\n\nMedium severity vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access to less sensitive information.\n\nExamples of medium severity vulnerabilities include:\n\n- Cross-site Scripting (XSS) without a CSP bypass.\n- Cross-site Request Forgery (CSRF) or similar attacks to make a user take an authenticated action they didn\\'t intend, such as subscribing or unsubscribing to subreddits or voting on posts/comments.\n- Disclosing the titles of posts or the usernames of all members in private subreddits.\n- Removing a moderator from a subreddit where you are not a moderator with \"access\" permissions.\n- Unbanning a user that has been banned from a subreddit without appropriate permissions.\n- Cache Poisoning.\n- Server-side Request Forgery (SSRF), with sensitive data exposure.\n- Open Redirects on in-scope domains.\n- LLM prompt injection with sensitive data exposure.\n\n### Low\n\nLow severity vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn\\'t, but with limited security implications.\n\nExamples of low severity vulnerabilities include:\n\n- Self-XSS\n- Bypassing domain restrictions on posted content.\n- Forcing users to use, or not use, the redesign or other early-access features.\n- Disclosure of voting records for accounts without the public voting option enabled.\n- Password brute-forcing that circumvents rate limiting.\n- Functionality or features that are accessible through the API but not available via the UI, which have security implications.\n- Functionality that is either undocumented or functions differently from its documentation, with a security impact.\n- Server-side Request Forgery (SSRF), without sensitive data exposure.\n- Open redirects in non-core assets.\n- LLM prompt injection, without sensitive data exposure.\n\n## Bounty Amounts\n\n|                 | Critical  | High    | Medium | Low   |\n|-----------------|-----------|---------|--------|-------|\n| **Core Assets**     | $15,000   | $7,500  | $1,000 | $500  |\n| **Non-Core Assets** | $5,000    | $2,500  | $500   | $200  |\n\n## Rewards by Severity\n\nWe will determine rewards for reports based on the **criticality of the asset, the impact of the issue, and the sensitivity of any leaked data**. Each report will be evaluated individually by our security team. We may offer higher rewards for unique, hard-to-discover bugs. We may also pay less for bugs with complex prerequisites that lower risk of exploitation.\n\n## Out-of-Scope\n\nWe generally do not accept logic bugs unless they result in the disclosure of security information, financial data, or cause disruption to our services.\n\n### Reddit agnostic\n\n- Attacks requiring physical access to, root privileges on, or MITM of a user's device.\n- Account Oracles - the ability to determine if an email address or username is in use.\n- Attacks targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.\n- Insecure cookie settings / flags on non-login cookies.\n- Missing HTTP security headers (CSP, HSTS, etc.).\n- Weak SSL/TLS/SSH algorithms or protocols.\n- Lack of certificate pinning (improper certificate validation still eligible)\n- CSRF with no security impact (unauthenticated/logout/login CSRF).\n- Best practices violations (password complexity, expiration, re-use, etc.).\n- Clickjacking on pages with no sensitive actions.\n- Component version disclosure without accompanying proof of vulnerability.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it's fair game.\n- Disclosure of internal tracebacks (unless sensitive environment data is also leaked).\n- Comma Separated Values (CSV) injection.\n- Reflected file download.\n- Content spoofing and text injection issues without being able to modify HTML/CSS.\n- Re-usage of passwords from public dumps.\n- Homograph links.\n- Mobile app crashes.\n- Tabnabbing / window.origin not being cleared on new tabs or windows.\n- Deep links for Android missing autoVerify=true due to current Google limitation with AMP (may change in future).\n- XSS from copying/pasting in code into DevConsole or the like.\n- LLM Model Hallucinations.\n- Security issues with SaaS applications that require fixes from the SaaS provider, rather than Reddit configurations, should be reported directly to the respective SaaS provider.\n\n### Reddit specific\n\n- Mobile app hardcoded secrets that are Sentry, Twitter, Crashlytics, Firebase, or Branch. On Dubsmash, the Kinesis AWS key is out of scope as it's non-vulnerable.\n- Functionality available through the API but not present in the UI, without any impact on security.\n- Commenting on removed / deleted posts (explicitly allowed unless a post is locked).\n- Enabling predictions/tournaments on subreddits for communities which are not qualified to the above 10000 subscribers.\n- https://*.reddit.com/etc/passwd.\n- Sessions not being invalidated on logout (they are invalidated on password change, 2FA being enabled, etc.).\n- Bypassing rate-limits or the non-existence of rate-limits that have no platform impact. Example: \u003chttps://vpn.snooguts.net/login\u003e.\n- Exposure of internal domains on public domains.\n- Enabling a setting early but not being able to use the early feature in practice.\n- Reddit.com password length issue (Reddit uses bcrypt which is capped at 72 characters) [https://hackerone.com/reports/1168804](https://hackerone.com/reports/1168804).\n\n## Denial of service attacks\n\nReddit does not allow denial of service attacks, and they are considered out of scope for our bug bounty program. This includes any attack that is designed to disrupt or disable the normal operation of our website or services.\n\n## In-scope domains (inclusive of all subdomains)\n\nCheck the Scope tab.\n\n## Out-of-scope domains\n\n- spell.ml.\n- [www.meaningcloud.com](http://www.meaningcloud.com).\n- Any SaaS or other service provider domains that are not mentioned in the Scope tab.\n\nIf you think it's something owned by Reddit, you can send it along - we'll decide if it's out-of-scope.\n\n## Confidentiality\n\nAny information you receive or collect about Reddit, Reddit's systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (\"Confidential Information\") must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-26T14:30:19.647Z"},{"id":3685417,"new_policy":"# Program Terms\n\nReddit’s responsible disclosure and bug bounty program is focused on protecting our users’ private data, accounts, and identities. The vast majority of data posted to Reddit every day is intended to be public, however Reddit does host private data including messages, chats, voting records for accounts without the public voting option enabled, subreddit subscriptions (when tied to a user), and (optional) email addresses.\n\nIn addition to user posted content, it is important that Reddit maintain the confidentiality of user identities and the integrity of discussions in Reddit’s communities and private spaces. It is with these things in mind that Reddit evaluates the impact and severity of each reported vulnerability.\n\nThe scope for Reddit’s program includes most of our assets—if it’s not explicitly out-of-scope, and has meaningful security impact, it’s fair game. This includes all subdomains of reddit.com and snooguts.net. \n\n# Good Faith\nTo be eligible to participate in Reddit’s bug bounty program we ask that all researchers act in good faith, which means: \n\n* Don’t try to access other users’ accounts or data — respect their privacy.\n* Don’t publicly disclose a vulnerability without Reddit’s explicit consent. \n* Don’t discuss vulnerability details with anyone other than Reddit staff before we can patch the vulnerability.\n* Don’t leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don’t identify the possibility yourself.\n* Don’t upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.\n* Don’t leave systems in a more vulnerable state.\n* Don’t take any action that could impact the performance or availability of Reddit.\n* Don’t make copies of Reddit's private production data as “proof”. The report should suffice as proof of impact.\n* Be respectful of our team.\n\nFailure to follow these rules will result in your reports being ineligible for bounty awards.\n\n# Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Eligibility to Participate\n\n* Must abide by Reddit’s User Agreement if testing with a Reddit account.\n* Must utilize HackerOne platform for all submissions to receive any payout, thereby abiding by HackerOne’s terms of service and privacy policy.\n* Reddit employees, contractors who are currently working with Reddit, or have worked with Reddit in the previous 6 months, or immediate family members of either are not eligible for bug bounties.\n\n# Report Quality\n\nReports are expected to be thorough and contain enough information that Reddit’s security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots are encouraged while videos are discouraged, unless necessary. Submissions should not consist solely of a video.\n\nReports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.\n\n# Severity Determination\nReddit uses a simple scale to determine severity. Reddit will categorize valid submissions in one of the following categories at its sole discretion. Vulnerabilities are primarily rated by their impact to the confidentiality of private user data and safety using the Reddit platform.\n\n## Critical\nCritical vulnerabilities are those that result in the bulk compromise of user data such as password hashes, private messages, private chats, and email addresses or the ability to bypass authentication and gain access to targeted accounts. Examples of critical vulnerabilities include:\n* Remote command execution\n* SQL Injection\n* Authentication bypass resulting in access to a user's account and private data.\n* Access to production secrets such as access tokens that can be used to copy sensitive data.\n* Elevating Reddit application privileges to admin.\n\n## High\nHigh-rated vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private groups or subreddits. Examples include:\n* Cross-site scripting (XSS)\n* Bypassing authorization to read or post to private subreddits.\n* CSRF or similar attacks provided they result in access to another user's account or data.\n* Bypassing two-factor authentication (2FA) in the Reddit application.\n* The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions.\n* Performing limited admin actions without authorization.\n* Ability to identify real users who are using Anonymous Browsing Mode (ABM) in native apps\n\n## Medium\nMedium-risk vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access less-sensitive information. Examples include:\n* CSRF or similar attacks to make a user take an action they didn't intend, such as subscribing or unsubscribing to subreddits or voting on posts/comments.\n* Disclosing the titles of posts in private subreddits.\n* Removing a moderator from a subreddit where you are not a moderator with “access” permissions.\n* Unbanning a user that has been banned from a subreddit without appropriate permissions.\n* Open redirects\n\n## Low\nLow-risk vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn't, but with no serious security implications. Examples include:\n* Bypassing domain restrictions on posted content.\n* Forcing users to use or not use the redesign or other early-access features.\n* Disclosure of voting records for accounts without the public voting option enabled.\n* Password brute-forcing that circumvents rate limiting\n\n# Bounty Amounts\nThe upper limits on bounty for each bug class:\n\n| Critical | High | Medium | Low |\n|:--------:|:----:|:------:|:---:|\n|  $10,000  | $5,000  |  $500  | $100  |\n\nThese are guidelines and may be adjusted by Reddit at our own discretion. Note that mitigating factors such as rate limiting (if applicable), the limitations on what may be accessed and the sensitivity of the exposed data will be taken into account when determining bounties. Bounty payments will be made through the HackerOne platform.\n\n# Out-of-Scope\n\n## Reddit agnostic:\n* Attacks requiring physical access to, root privileges on, or MITM of a user's device.\n* Account Oracles - the ability to determine if an email address or username is in use.\n* Attacks targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.\n* Insecure cookie settings / flags on non-login cookies.\n* Missing HTTP security headers (CSP, HSTS, etc.).\n* Weak SSL/TLS/SSH algorithms or protocols.\n* Lack of certificate pinning (improper certificate validation still eligible)\n* CSRF with no security impact (unauthenticated/logout/login CSRF).\n* Best practices violations (password complexity, expiration, re-use, etc.).\n* Clickjacking on pages with no sensitive actions.\n* Component version disclosure without accompanying proof of vulnerability.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it's fair game.\n* Disclosure of internal tracebacks (unless sensitive environment data is also leaked).\n* Comma Separated Values (CSV) injection.\n* Reflected file download.\n* Content spoofing and text injection issues without being able to modify HTML/CSS.\n* Re-usage of passwords from public dumps.\n* Homograph links.\n* Mobile app crashes.\n* Tabnabbing / window.origin not being cleared on new tabs or windows\n* Deep links for Android missing autoVerify=true due to current Google limitation with AMP (may change in future)\n* XSS from copying/pasting in code into DevConsole or the like\n\n## Reddit specific:\n* Mobile app hardcoded secrets that are Sentry, Twitter, Crashlytics, Firebase, or Branch. On Dubsmash, the Kinesis AWS key is out of scope as it's non-vulnerable. \n* Commenting on removed / deleted posts (explicitly allowed unless a post is locked)\n* Enabling predictions/tournaments on subreddits for communities which are not qualified to the above 10000 subscribers.\n* https://*.reddit.com/etc/passwd\n* Sessions not being invalidated on logout (they are invalidated on password change, 2FA being enabled, etc.).\n* Redress of subreddits with subreddit styles.\n* Bypassing rate-limits or the non-existence of rate-limits that have no platform impact. \n    Example: https://vpn.snooguts.net/login\n* Exposure of internal domains on public domains\n* Enabling a setting early and not being able to use the early feature in practice\n* Reddit.com password length issue (Reddit uses bcrypt which is capped at 72 characters) https://hackerone.com/reports/1168804\n* https://spell.ml/\n* https://www.meaningcloud.com/\n\n## Denial of service attacks:\n* Just don’t, we’re busy enough keeping the site up\n\n## In-scope domains (inclusive of all subdomains):\n* reddit.com\n* snooguts.net\n* redd.it\n* redditblog.com\n* redditmedia.com\n* redditstatic.com\n* reddituploads.com\n* redditinc.com\n* reddithelp.com (limited)\n* 1st party Android and iOS apps for Reddit\n\n## Out-of-scope domains\nAny SaaS or other service provider not explicitly called out. If you think it’s something owned by Reddit, you can send it along - we’ll decide if it’s out-of-scope.\n\n# Confidentiality\n\nAny information you receive or collect about Reddit, Reddit’s systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.\n\n# Rights and Licenses\nWe may modify the Program Terms or cancel the Bug Bounty Program at any time.\n\nBy making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.\n\nBy making a Submission, you give us the right to use your Submission for any purpose.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-27T16:12:26.942Z"},{"id":3678051,"new_policy":"# Program Terms\n\nReddit’s responsible disclosure and bug bounty program is focused on protecting our users’ private data, accounts, and identities. The vast majority of data posted to Reddit every day is intended to be public, however Reddit does host private data including messages, chats, voting records for accounts without the public voting option enabled, subreddit subscriptions (when tied to a user), and (optional) email addresses.\n\nIn addition to user posted content, it is important that Reddit maintain the confidentiality of user identities and the integrity of discussions in Reddit’s communities and private spaces. It is with these things in mind that Reddit evaluates the impact and severity of each reported vulnerability.\n\nThe scope for Reddit’s program includes most of our assets—if it’s not explicitly out-of-scope, and has meaningful security impact, it’s fair game. This includes all subdomains of reddit.com and snooguts.net. \n\n# Good Faith\nTo be eligible to participate in Reddit’s bug bounty program we ask that all researchers act in good faith, which means: \n\n* Don’t try to access other users’ accounts or data — respect their privacy.\n* Don’t publicly disclose a vulnerability without Reddit’s explicit consent. \n* Don’t discuss vulnerability details with anyone other than Reddit staff before we can patch the vulnerability.\n* Don’t leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don’t identify the possibility yourself.\n* Don’t upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.\n* Don’t leave systems in a more vulnerable state.\n* Don’t take any action that could impact the performance or availability of Reddit.\n* Don’t make copies of Reddit's private production data as “proof”. The report should suffice as proof of impact.\n* Be respectful of our team.\n\nFailure to follow these rules will result in your reports being ineligible for bounty awards.\n\n# Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Eligibility to Participate\n\n* Must abide by Reddit’s User Agreement if testing with a Reddit account.\n* Must utilize HackerOne platform for all submissions to receive any payout, thereby abiding by HackerOne’s terms of service and privacy policy.\n* Reddit employees, contractors who are currently working with Reddit, or have worked with Reddit in the previous 6 months, or immediate family members of either are not eligible for bug bounties.\n\n# Report Quality\n\nReports are expected to be thorough and contain enough information that Reddit’s security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots are encouraged while videos are discouraged, unless necessary. Submissions should not consist solely of a video.\n\nReports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.\n\n# Severity Determination\nReddit uses a simple scale to determine severity. Reddit will categorize valid submissions in one of the following categories at its sole discretion. Vulnerabilities are primarily rated by their impact to the confidentiality of private user data and safety using the Reddit platform.\n\n## Critical\nCritical vulnerabilities are those that result in the bulk compromise of user data such as password hashes, private messages, private chats, and email addresses or the ability to bypass authentication and gain access to targeted accounts. Examples of critical vulnerabilities include:\n* Remote command execution\n* SQL Injection\n* Authentication bypass resulting in access to a user's account and private data.\n* Access to production secrets such as access tokens that can be used to copy sensitive data.\n* Elevating Reddit application privileges to admin.\n\n## High\nHigh-rated vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private groups or subreddits. Examples include:\n* Cross-site scripting (XSS)\n* Bypassing authorization to read or post to private subreddits.\n* CSRF or similar attacks provided they result in access to another user's account or data.\n* Bypassing two-factor authentication (2FA) in the Reddit application.\n* The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions.\n* Performing limited admin actions without authorization.\n* Ability to identify real users who are using Anonymous Browsing Mode (ABM) in native apps\n\n## Medium\nMedium-risk vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access less-sensitive information. Examples include:\n* CSRF or similar attacks to make a user take an action they didn't intend, such as subscribing or unsubscribing to subreddits or voting on posts/comments.\n* Disclosing the titles of posts in private subreddits.\n* Removing a moderator from a subreddit where you are not a moderator with “access” permissions.\n* Unbanning a user that has been banned from a subreddit without appropriate permissions.\n* Open redirects\n\n## Low\nLow-risk vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn't, but with no serious security implications. Examples include:\n* Bypassing domain restrictions on posted content.\n* Forcing users to use or not use the redesign or other early-access features.\n* Disclosure of voting records for accounts without the public voting option enabled.\n* Password brute-forcing that circumvents rate limiting\n\n# Bounty Amounts\nThe upper limits on bounty for each bug class:\n\n| Critical | High | Medium | Low |\n|:--------:|:----:|:------:|:---:|\n|  $10,000  | $5,000  |  $500  | $100  |\n\nThese are guidelines and may be adjusted by Reddit at our own discretion. Note that mitigating factors such as rate limiting (if applicable), the limitations on what may be accessed and the sensitivity of the exposed data will be taken into account when determining bounties. Bounty payments will be made through the HackerOne platform.\n\n# Out-of-Scope\n\n## Reddit agnostic:\n* Attacks requiring physical access to, root privileges on, or MITM of a user's device.\n* Account Oracles - the ability to determine if an email address or username is in use.\n* Attacks targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.\n* Insecure cookie settings / flags on non-login cookies.\n* Missing HTTP security headers (CSP, HSTS, etc.).\n* Weak SSL/TLS/SSH algorithms or protocols.\n* Lack of certificate pinning (improper certificate validation still eligible)\n* CSRF with no security impact (unauthenticated/logout/login CSRF).\n* Best practices violations (password complexity, expiration, re-use, etc.).\n* Clickjacking on pages with no sensitive actions.\n* Component version disclosure without accompanying proof of vulnerability.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it's fair game.\n* Disclosure of internal tracebacks (unless sensitive environment data is also leaked).\n* Comma Separated Values (CSV) injection.\n* Reflected file download.\n* Content spoofing and text injection issues without being able to modify HTML/CSS.\n* Re-usage of passwords from public dumps.\n* Homograph links.\n* Mobile app crashes.\n* Tabnabbing / window.origin not being cleared on new tabs or windows\n* Deep links for Android missing autoVerify=true due to current Google limitation with AMP (may change in future)\n* XSS from copying/pasting in code into DevConsole or the like\n\n## Reddit specific:\n* Mobile app hardcoded secrets that are Sentry, Twitter, Crashlytics, Firebase, or Branch. On Dubsmash, the Kinesis AWS key is out of scope as it's non-vulnerable. \n* Commenting on removed / deleted posts (explicitly allowed unless a post is locked)\n* https://*.reddit.com/etc/passwd\n* Sessions not being invalidated on logout (they are invalidated on password change, 2FA being enabled, etc.).\n* Redress of subreddits with subreddit styles.\n* Bypassing rate-limits or the non-existence of rate-limits that have no platform impact. \n    Example: https://vpn.snooguts.net/login\n* Exposure of internal domains on public domains\n* Enabling a setting early and not being able to use the early feature in practice\n* Reddit.com password length issue (Reddit uses bcrypt which is capped at 72 characters) https://hackerone.com/reports/1168804\n* https://spell.ml/\n* https://www.meaningcloud.com/\n\n## Denial of service attacks:\n* Just don’t, we’re busy enough keeping the site up\n\n## In-scope domains (inclusive of all subdomains):\n* reddit.com\n* snooguts.net\n* redd.it\n* redditblog.com\n* redditmedia.com\n* redditstatic.com\n* reddituploads.com\n* redditinc.com\n* reddithelp.com (limited)\n* 1st party Android and iOS apps for Reddit\n\n## Out-of-scope domains\nAny SaaS or other service provider not explicitly called out. If you think it’s something owned by Reddit, you can send it along - we’ll decide if it’s out-of-scope.\n\n# Confidentiality\n\nAny information you receive or collect about Reddit, Reddit’s systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.\n\n# Rights and Licenses\nWe may modify the Program Terms or cancel the Bug Bounty Program at any time.\n\nBy making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.\n\nBy making a Submission, you give us the right to use your Submission for any purpose.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-09-30T19:08:06.828Z"},{"id":3676790,"new_policy":"# Program Terms\n\nReddit’s responsible disclosure and bug bounty program is focused on protecting our users’ private data, accounts, and identities. The vast majority of data posted to Reddit every day is intended to be public, however Reddit does host private data including messages, chats, voting records for accounts without the public voting option enabled, subreddit subscriptions (when tied to a user), and (optional) email addresses.\n\nIn addition to user posted content, it is important that Reddit maintain the confidentiality of user identities and the integrity of discussions in Reddit’s communities and private spaces. It is with these things in mind that Reddit evaluates the impact and severity of each reported vulnerability.\n\nThe scope for Reddit’s program includes most of our assets—if it’s not explicitly out-of-scope, and has meaningful security impact, it’s fair game. This includes all subdomains of reddit.com and snooguts.net. \n\n# Good Faith\nTo be eligible to participate in Reddit’s bug bounty program we ask that all researchers act in good faith, which means: \n\n* Don’t try to access other users’ accounts or data — respect their privacy.\n* Don’t publicly disclose a vulnerability without Reddit’s explicit consent. \n* Don’t discuss vulnerability details with anyone other than Reddit staff before we can patch the vulnerability.\n* Don’t leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don’t identify the possibility yourself.\n* Don’t upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.\n* Don’t leave systems in a more vulnerable state.\n* Don’t take any action that could impact the performance or availability of Reddit.\n* Don’t make copies of Reddit's private production data as “proof”. The report should suffice as proof of impact.\n* Be respectful of our team.\n\nFailure to follow these rules will result in your reports being ineligible for bounty awards.\n\n# Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Eligibility to Participate\n\n* Must abide by Reddit’s User Agreement if testing with a Reddit account.\n* Must utilize HackerOne platform for all submissions to receive any payout, thereby abiding by HackerOne’s terms of service and privacy policy.\n* Reddit employees, contractors who are currently working with Reddit, or have worked with Reddit in the previous 6 months, or immediate family members of either are not eligible for bug bounties.\n\n# Report Quality\n\nReports are expected to be thorough and contain enough information that Reddit’s security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots are encouraged while videos are discouraged, unless necessary. Submissions should not consist solely of a video.\n\nReports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.\n\n# Severity Determination\nReddit uses a simple scale to determine severity. Reddit will categorize valid submissions in one of the following categories at its sole discretion. Vulnerabilities are primarily rated by their impact to the confidentiality of private user data and safety using the Reddit platform.\n\n## Critical\nCritical vulnerabilities are those that result in the bulk compromise of user data such as password hashes, private messages, private chats, and email addresses or the ability to bypass authentication and gain access to targeted accounts. Examples of critical vulnerabilities include:\n* Remote command execution\n* SQL Injection\n* Authentication bypass resulting in access to a user's account and private data.\n* Access to production secrets such as access tokens that can be used to copy sensitive data.\n* Elevating Reddit application privileges to admin.\n\n## High\nHigh-rated vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private groups or subreddits. Examples include:\n* Cross-site scripting (XSS)\n* Bypassing authorization to read or post to private subreddits.\n* CSRF or similar attacks provided they result in access to another user's account or data.\n* Bypassing two-factor authentication (2FA) in the Reddit application.\n* The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions.\n* Performing limited admin actions without authorization.\n* Ability to identify real users who are using Anonymous Browsing Mode (ABM) in native apps\n\n## Medium\nMedium-risk vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access less-sensitive information. Examples include:\n* CSRF or similar attacks to make a user take an action they didn't intend, such as subscribing or unsubscribing to subreddits or voting on posts/comments.\n* Disclosing the titles of posts in private subreddits.\n* Removing a moderator from a subreddit where you are not a moderator with “access” permissions.\n* Unbanning a user that has been banned from a subreddit without appropriate permissions.\n* Open redirects\n\n## Low\nLow-risk vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn't, but with no serious security implications. Examples include:\n* Bypassing domain restrictions on posted content.\n* Forcing users to use or not use the redesign or other early-access features.\n* Disclosure of voting records for accounts without the public voting option enabled.\n* Password brute-forcing that circumvents rate limiting\n\n# Bounty Amounts\nThe upper limits on bounty for each bug class:\n\n| Critical | High | Medium | Low |\n|:--------:|:----:|:------:|:---:|\n|  $10,000  | $5,000  |  $500  | $100  |\n\nThese are guidelines and may be adjusted by Reddit at our own discretion. Note that mitigating factors such as rate limiting (if applicable), the limitations on what may be accessed and the sensitivity of the exposed data will be taken into account when determining bounties. Bounty payments will be made through the HackerOne platform.\n\n# Out-of-Scope\n\n## Reddit agnostic:\n* Attacks requiring physical access to, root privileges on, or MITM of a user's device.\n* Account Oracles - the ability to determine if an email address or username is in use.\n* Attacks targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.\n* Insecure cookie settings / flags on non-login cookies.\n* Missing HTTP security headers (CSP, HSTS, etc.).\n* Weak SSL/TLS/SSH algorithms or protocols.\n* Lack of certificate pinning (improper certificate validation still eligible)\n* CSRF with no security impact (unauthenticated/logout/login CSRF).\n* Best practices violations (password complexity, expiration, re-use, etc.).\n* Clickjacking on pages with no sensitive actions.\n* Component version disclosure without accompanying proof of vulnerability.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it's fair game.\n* Disclosure of internal tracebacks (unless sensitive environment data is also leaked).\n* Comma Separated Values (CSV) injection.\n* Reflected file download.\n* Content spoofing and text injection issues without being able to modify HTML/CSS.\n* Re-usage of passwords from public dumps.\n* Homograph links.\n* Mobile app crashes.\n* Tabnabbing / window.origin not being cleared on new tabs or windows\n* Deep links for Android missing autoVerify=true due to current Google limitation with AMP (may change in future)\n* XSS from copying/pasting in code into DevConsole or the like\n\n## Reddit specific:\n* Mobile app hardcoded secrets that are Sentry, Twitter, Crashlytics, Firebase, or Branch. On Dubsmash, the Kinesis AWS key is out of scope as it's non-vulnerable. \n* Commenting on removed / deleted posts (explicitly allowed unless a post is locked)\n* https://*.reddit.com/etc/passwd\n* Sessions not being invalidated on logout (they are invalidated on password change, 2FA being enabled, etc.).\n* Redress of subreddits with subreddit styles.\n* Bypassing rate-limits or the non-existence of rate-limits that have no platform impact. \n    Example: https://vpn.snooguts.net/login\n* Exposure of internal domains on public domains\n* Enabling a setting early and not being able to use the early feature in practice\n* Reddit.com password length issue (Reddit uses bcrypt which is capped at 72 characters) https://hackerone.com/reports/1168804\n* https://spell.ml/\n\n## Denial of service attacks:\n* Just don’t, we’re busy enough keeping the site up\n\n## In-scope domains (inclusive of all subdomains):\n* reddit.com\n* snooguts.net\n* redd.it\n* redditblog.com\n* redditmedia.com\n* redditstatic.com\n* reddituploads.com\n* redditinc.com\n* reddithelp.com (limited)\n* 1st party Android and iOS apps for Reddit\n\n## Out-of-scope domains\nAny SaaS or other service provider not explicitly called out. If you think it’s something owned by Reddit, you can send it along - we’ll decide if it’s out-of-scope.\n\n# Confidentiality\n\nAny information you receive or collect about Reddit, Reddit’s systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.\n\n# Rights and Licenses\nWe may modify the Program Terms or cancel the Bug Bounty Program at any time.\n\nBy making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.\n\nBy making a Submission, you give us the right to use your Submission for any purpose.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-08-30T15:57:07.193Z"},{"id":3675868,"new_policy":"# Program Terms\n\nReddit’s responsible disclosure and bug bounty program is focused on protecting our users’ private data, accounts, and identities. The vast majority of data posted to Reddit every day is intended to be public, however Reddit does host private data including messages, chats, voting records for accounts without the public voting option enabled, subreddit subscriptions (when tied to a user), and (optional) email addresses.\n\nIn addition to user posted content, it is important that Reddit maintain the confidentiality of user identities and the integrity of discussions in Reddit’s communities and private spaces. It is with these things in mind that Reddit evaluates the impact and severity of each reported vulnerability.\n\nThe scope for Reddit’s program includes most of our assets—if it’s not explicitly out-of-scope, and has meaningful security impact, it’s fair game. This includes all subdomains of reddit.com and snooguts.net. \n\n# Good Faith\nTo be eligible to participate in Reddit’s bug bounty program we ask that all researchers act in good faith, which means: \n\n* Don’t try to access other users’ accounts or data — respect their privacy.\n* Don’t publicly disclose a vulnerability without Reddit’s explicit consent. \n* Don’t discuss vulnerability details with anyone other than Reddit staff before we can patch the vulnerability.\n* Don’t leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don’t identify the possibility yourself.\n* Don’t upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.\n* Don’t leave systems in a more vulnerable state.\n* Don’t take any action that could impact the performance or availability of Reddit.\n* Don’t make copies of Reddit's private production data as “proof”. The report should suffice as proof of impact.\n* Be respectful of our team.\n\nFailure to follow these rules will result in your reports being ineligible for bounty awards.\n\n# Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Eligibility to Participate\n\n* Must abide by Reddit’s User Agreement if testing with a Reddit account.\n* Must utilize HackerOne platform for all submissions to receive any payout, thereby abiding by HackerOne’s terms of service and privacy policy.\n* Reddit employees, contractors who are currently working with Reddit, or have worked with Reddit in the previous 6 months, or immediate family members of either are not eligible for bug bounties.\n\n# Report Quality\n\nReports are expected to be thorough and contain enough information that Reddit’s security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots are encouraged while videos are discouraged, unless necessary. Submissions should not consist solely of a video.\n\nReports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.\n\n# Severity Determination\nReddit uses a simple scale to determine severity. Reddit will categorize valid submissions in one of the following categories at its sole discretion. Vulnerabilities are primarily rated by their impact to the confidentiality of private user data and safety using the Reddit platform.\n\n## Critical\nCritical vulnerabilities are those that result in the bulk compromise of user data such as password hashes, private messages, private chats, and email addresses or the ability to bypass authentication and gain access to targeted accounts. Examples of critical vulnerabilities include:\n* Remote command execution\n* SQL Injection\n* Authentication bypass resulting in access to a user's account and private data.\n* Access to production secrets such as access tokens that can be used to copy sensitive data.\n* Elevating Reddit application privileges to admin.\n\n## High\nHigh-rated vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private groups or subreddits. Examples include:\n* Cross-site scripting (XSS)\n* Bypassing authorization to read or post to private subreddits.\n* CSRF or similar attacks provided they result in access to another user's account or data.\n* Bypassing two-factor authentication (2FA) in the Reddit application.\n* The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions.\n* Performing limited admin actions without authorization.\n* Ability to identify real users who are using Anonymous Browsing Mode (ABM) in native apps\n\n## Medium\nMedium-risk vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access less-sensitive information. Examples include:\n* CSRF or similar attacks to make a user take an action they didn't intend, such as subscribing or unsubscribing to subreddits or voting on posts/comments.\n* Disclosing the titles of posts in private subreddits.\n* Removing a moderator from a subreddit where you are not a moderator with “access” permissions.\n* Unbanning a user that has been banned from a subreddit without appropriate permissions.\n* Open redirects\n\n## Low\nLow-risk vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn't, but with no serious security implications. Examples include:\n* Bypassing domain restrictions on posted content.\n* Forcing users to use or not use the redesign or other early-access features.\n* Disclosure of voting records for accounts without the public voting option enabled.\n* Password brute-forcing that circumvents rate limiting\n\n# Bounty Amounts\nThe upper limits on bounty for each bug class:\n\n| Critical | High | Medium | Low |\n|:--------:|:----:|:------:|:---:|\n|  $10,000  | $5,000  |  $500  | $100  |\n\nThese are guidelines and may be adjusted by Reddit at our own discretion. Note that mitigating factors such as rate limiting (if applicable), the limitations on what may be accessed and the sensitivity of the exposed data will be taken into account when determining bounties. Bounty payments will be made through the HackerOne platform.\n\n# Out-of-Scope\n\n## Reddit agnostic:\n* Attacks requiring physical access to, root privileges on, or MITM of a user's device.\n* Account Oracles - the ability to determine if an email address or username is in use.\n* Attacks targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.\n* Insecure cookie settings / flags on non-login cookies.\n* Missing HTTP security headers (CSP, HSTS, etc.).\n* Weak SSL/TLS/SSH algorithms or protocols.\n* Lack of certificate pinning (improper certificate validation still eligible)\n* CSRF with no security impact (unauthenticated/logout/login CSRF).\n* Best practices violations (password complexity, expiration, re-use, etc.).\n* Clickjacking on pages with no sensitive actions.\n* Component version disclosure without accompanying proof of vulnerability.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it's fair game.\n* Disclosure of internal tracebacks (unless sensitive environment data is also leaked).\n* Comma Separated Values (CSV) injection.\n* Reflected file download.\n* Content spoofing and text injection issues without being able to modify HTML/CSS.\n* Re-usage of passwords from public dumps.\n* Homograph links.\n* Mobile app crashes.\n* Tabnabbing / window.origin not being cleared on new tabs or windows\n* Deep links for Android missing autoVerify=true due to current Google limitation with AMP (may change in future)\n* XSS from copying/pasting in code into DevConsole or the like\n\n## Reddit specific:\n* Mobile app hardcoded secrets that are Sentry, Twitter, Crashlytics, Firebase, or Branch. On Dubsmash, the Kinesis AWS key is out of scope as it's non-vulnerable. \n* Commenting on removed / deleted posts (explicitly allowed unless a post is locked)\n* https://*.reddit.com/etc/passwd\n* Sessions not being invalidated on logout (they are invalidated on password change, 2FA being enabled, etc.).\n* Redress of subreddits with subreddit styles.\n* Bypassing rate-limits or the non-existence of rate-limits that have no platform impact. \n    Example: https://vpn.snooguts.net/login\n* Exposure of internal domains on public domains\n* Reddit.com password length issue (Reddit uses bcrypt which is capped at 72 characters) https://hackerone.com/reports/1168804\n* https://spell.ml/\n\n## Denial of service attacks:\n* Just don’t, we’re busy enough keeping the site up\n\n## In-scope domains (inclusive of all subdomains):\n* reddit.com\n* snooguts.net\n* redd.it\n* redditblog.com\n* redditmedia.com\n* redditstatic.com\n* reddituploads.com\n* redditinc.com\n* reddithelp.com (limited)\n* 1st party Android and iOS apps for Reddit\n\n## Out-of-scope domains\nAny SaaS or other service provider not explicitly called out. If you think it’s something owned by Reddit, you can send it along - we’ll decide if it’s out-of-scope.\n\n# Confidentiality\n\nAny information you receive or collect about Reddit, Reddit’s systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.\n\n# Rights and Licenses\nWe may modify the Program Terms or cancel the Bug Bounty Program at any time.\n\nBy making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.\n\nBy making a Submission, you give us the right to use your Submission for any purpose.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-08-08T21:59:22.412Z"},{"id":3675511,"new_policy":"# Program Terms\n\nReddit’s responsible disclosure and bug bounty program is focused on protecting our users’ private data, accounts, and identities. The vast majority of data posted to Reddit every day is intended to be public, however Reddit does host private data including messages, chats, voting records for accounts without the public voting option enabled, subreddit subscriptions (when tied to a user), and (optional) email addresses.\n\nIn addition to user posted content, it is important that Reddit maintain the confidentiality of user identities and the integrity of discussions in Reddit’s communities and private spaces. It is with these things in mind that Reddit evaluates the impact and severity of each reported vulnerability.\n\nThe scope for Reddit’s program includes most of our assets—if it’s not explicitly out-of-scope, and has meaningful security impact, it’s fair game. This includes all subdomains of reddit.com and snooguts.net. \n\n# Good Faith\nTo be eligible to participate in Reddit’s bug bounty program we ask that all researchers act in good faith, which means: \n\n* Don’t try to access other users’ accounts or data — respect their privacy.\n* Don’t publicly disclose a vulnerability without Reddit’s explicit consent. \n* Don’t discuss vulnerability details with anyone other than Reddit staff before we can patch the vulnerability.\n* Don’t leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don’t identify the possibility yourself.\n* Don’t upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.\n* Don’t leave systems in a more vulnerable state.\n* Don’t take any action that could impact the performance or availability of Reddit.\n* Don’t make copies of Reddit's private production data as “proof”. The report should suffice as proof of impact.\n* Be respectful of our team.\n\nFailure to follow these rules will result in your reports being ineligible for bounty awards.\n\n# Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Eligibility to Participate\n\n* Must abide by Reddit’s User Agreement if testing with a Reddit account.\n* Must utilize HackerOne platform for all submissions to receive any payout, thereby abiding by HackerOne’s terms of service and privacy policy.\n* Reddit employees, contractors who are currently working with Reddit, or have worked with Reddit in the previous 6 months, or immediate family members of either are not eligible for bug bounties.\n\n# Report Quality\n\nReports are expected to be thorough and contain enough information that Reddit’s security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots are encouraged while videos are discouraged, unless necessary. Submissions should not consist solely of a video.\n\nReports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.\n\n# Severity Determination\nReddit uses a simple scale to determine severity. Reddit will categorize valid submissions in one of the following categories at its sole discretion. Vulnerabilities are primarily rated by their impact to the confidentiality of private user data and safety using the Reddit platform.\n\n## Critical\nCritical vulnerabilities are those that result in the bulk compromise of user data such as password hashes, private messages, private chats, and email addresses or the ability to bypass authentication and gain access to targeted accounts. Examples of critical vulnerabilities include:\n* Remote command execution\n* SQL Injection\n* Authentication bypass resulting in access to a user's account and private data.\n* Access to production secrets such as access tokens that can be used to copy sensitive data.\n* Elevating Reddit application privileges to admin.\n\n## High\nHigh-rated vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private groups or subreddits. Examples include:\n* Cross-site scripting (XSS)\n* Bypassing authorization to read or post to private subreddits.\n* CSRF or similar attacks provided they result in access to another user's account or data.\n* Bypassing two-factor authentication (2FA) in the Reddit application.\n* The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions.\n* Performing limited admin actions without authorization.\n* Ability to identify real users who are using Anonymous Browsing Mode (ABM) in native apps\n\n## Medium\nMedium-risk vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access less-sensitive information. Examples include:\n* CSRF or similar attacks to make a user take an action they didn't intend, such as subscribing or unsubscribing to subreddits or voting on posts/comments.\n* Disclosing the titles of posts in private subreddits.\n* Removing a moderator from a subreddit where you are not a moderator with “access” permissions.\n* Unbanning a user that has been banned from a subreddit without appropriate permissions.\n* Open redirects\n\n## Low\nLow-risk vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn't, but with no serious security implications. Examples include:\n* Bypassing domain restrictions on posted content.\n* Forcing users to use or not use the redesign or other early-access features.\n* Disclosure of voting records for accounts without the public voting option enabled.\n* Password brute-forcing that circumvents rate limiting\n\n# Bounty Amounts\nThe upper limits on bounty for each bug class:\n\n| Critical | High | Medium | Low |\n|:--------:|:----:|:------:|:---:|\n|  $10,000  | $5,000  |  $500  | $100  |\n\nThese are guidelines and may be adjusted by Reddit at our own discretion. Note that mitigating factors such as rate limiting (if applicable), the limitations on what may be accessed and the sensitivity of the exposed data will be taken into account when determining bounties. Bounty payments will be made through the HackerOne platform.\n\n# Out-of-Scope\n\n## Reddit agnostic:\n* Attacks requiring physical access to, root privileges on, or MITM of a user's device.\n* Account Oracles - the ability to determine if an email address or username is in use.\n* Attacks targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.\n* Insecure cookie settings / flags on non-login cookies.\n* Missing HTTP security headers (CSP, HSTS, etc.).\n* Weak SSL/TLS/SSH algorithms or protocols.\n* Lack of certificate pinning (improper certificate validation still eligible)\n* CSRF with no security impact (unauthenticated/logout/login CSRF).\n* Best practices violations (password complexity, expiration, re-use, etc.).\n* Clickjacking on pages with no sensitive actions.\n* Component version disclosure without accompanying proof of vulnerability.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it's fair game.\n* Disclosure of internal tracebacks (unless sensitive environment data is also leaked).\n* Comma Separated Values (CSV) injection.\n* Reflected file download.\n* Content spoofing and text injection issues without being able to modify HTML/CSS.\n* Re-usage of passwords from public dumps.\n* Homograph links.\n* Mobile app crashes.\n* Tabnabbing / window.origin not being cleared on new tabs or windows\n* Deep links for Android missing autoVerify=true due to current Google limitation with AMP (may change in future)\n* XSS from copying/pasting in code into DevConsole or the like\n\n## Reddit specific:\n* Mobile app hardcoded secrets that are Sentry, Twitter, Crashlytics, Firebase, or Branch. On Dubsmash, the Kinesis AWS key is out of scope as it's non-vulnerable. \n* Commenting on removed / deleted posts (explicitly allowed unless a post is locked)\n* https://*.reddit.com/etc/passwd\n* Sessions not being invalidated on logout (they are invalidated on password change, 2FA being enabled, etc.).\n* Redress of subreddits with subreddit styles.\n* Bypassing rate-limits or the non-existence of rate-limits that have no platform impact. \n    Example: https://vpn.snooguts.net/login\n* Exposure of internal domains on public domains\n* Reddit.com password length issue (Reddit uses bcrypt which is capped at 72 characters) https://hackerone.com/reports/1168804\n\n## Denial of service attacks:\n* Just don’t, we’re busy enough keeping the site up\n\n## In-scope domains (inclusive of all subdomains):\n* reddit.com\n* snooguts.net\n* redd.it\n* redditblog.com\n* redditmedia.com\n* redditstatic.com\n* reddituploads.com\n* redditinc.com\n* reddithelp.com (limited)\n* 1st party Android and iOS apps for Reddit\n\n## Out-of-scope domains\nAny SaaS or other service provider not explicitly called out. If you think it’s something owned by Reddit, you can send it along - we’ll decide if it’s out-of-scope.\n\n# Confidentiality\n\nAny information you receive or collect about Reddit, Reddit’s systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.\n\n# Rights and Licenses\nWe may modify the Program Terms or cancel the Bug Bounty Program at any time.\n\nBy making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.\n\nBy making a Submission, you give us the right to use your Submission for any purpose.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-08-01T21:00:24.669Z"},{"id":3673971,"new_policy":"# We are running a Promotion!\n\nWe are excited to announce that the Collectible Avatars feature is now available for testing. We are offering bonuses in addition to the standard payouts for all valid reports for the new Collectible Avatars feature. Bonuses will be paid out to any valid reports pertaining to Collectible Avatars, Reddit Wallet (Vault), and the Avatar Shop.\n\nCollectible Avatars Feature Announcement: https://www.reddit.com/r/reddit/comments/vtkmni/introducing_collectible_avatars/\nHow to get early access: https://www.reddit.com/r/CollectibleAvatars/comments/vtkkjo/welcome_to_rcollectibleavatars/\nAvatar Shop: https://www.reddit.com/avatar/shop\n\nCritical = $1000 Bonus\nHigh = $1000 Bonus\nMedium = $500 Bonus\nLow = $500 Bonus\n\n*Promotion Start Date: 07/07/2022 - 12.00 AM PST\nPromotion End Date: 07/31/2022 - 11.59 PM PST*\n\n___\n\n# Program Terms\n\nReddit’s responsible disclosure and bug bounty program is focused on protecting our users’ private data, accounts, and identities. The vast majority of data posted to Reddit every day is intended to be public, however Reddit does host private data including messages, chats, voting records for accounts without the public voting option enabled, subreddit subscriptions (when tied to a user), and (optional) email addresses.\n\nIn addition to user posted content, it is important that Reddit maintain the confidentiality of user identities and the integrity of discussions in Reddit’s communities and private spaces. It is with these things in mind that Reddit evaluates the impact and severity of each reported vulnerability.\n\nThe scope for Reddit’s program includes most of our assets—if it’s not explicitly out-of-scope, and has meaningful security impact, it’s fair game. This includes all subdomains of reddit.com and snooguts.net. \n\n# Good Faith\nTo be eligible to participate in Reddit’s bug bounty program we ask that all researchers act in good faith, which means: \n\n* Don’t try to access other users’ accounts or data — respect their privacy.\n* Don’t publicly disclose a vulnerability without Reddit’s explicit consent. \n* Don’t discuss vulnerability details with anyone other than Reddit staff before we can patch the vulnerability.\n* Don’t leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don’t identify the possibility yourself.\n* Don’t upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.\n* Don’t leave systems in a more vulnerable state.\n* Don’t take any action that could impact the performance or availability of Reddit.\n* Don’t make copies of Reddit's private production data as “proof”. The report should suffice as proof of impact.\n* Be respectful of our team.\n\nFailure to follow these rules will result in your reports being ineligible for bounty awards.\n\n# Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Eligibility to Participate\n\n* Must abide by Reddit’s User Agreement if testing with a Reddit account.\n* Must utilize HackerOne platform for all submissions to receive any payout, thereby abiding by HackerOne’s terms of service and privacy policy.\n* Reddit employees, contractors who are currently working with Reddit, or have worked with Reddit in the previous 6 months, or immediate family members of either are not eligible for bug bounties.\n\n# Report Quality\n\nReports are expected to be thorough and contain enough information that Reddit’s security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots are encouraged while videos are discouraged, unless necessary. Submissions should not consist solely of a video.\n\nReports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.\n\n# Severity Determination\nReddit uses a simple scale to determine severity. Reddit will categorize valid submissions in one of the following categories at its sole discretion. Vulnerabilities are primarily rated by their impact to the confidentiality of private user data and safety using the Reddit platform.\n\n## Critical\nCritical vulnerabilities are those that result in the bulk compromise of user data such as password hashes, private messages, private chats, and email addresses or the ability to bypass authentication and gain access to targeted accounts. Examples of critical vulnerabilities include:\n* Remote command execution\n* SQL Injection\n* Authentication bypass resulting in access to a user's account and private data.\n* Access to production secrets such as access tokens that can be used to copy sensitive data.\n* Elevating Reddit application privileges to admin.\n\n## High\nHigh-rated vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private groups or subreddits. Examples include:\n* Cross-site scripting (XSS)\n* Bypassing authorization to read or post to private subreddits.\n* CSRF or similar attacks provided they result in access to another user's account or data.\n* Bypassing two-factor authentication (2FA) in the Reddit application.\n* The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions.\n* Performing limited admin actions without authorization.\n* Ability to identify real users who are using Anonymous Browsing Mode (ABM) in native apps\n\n## Medium\nMedium-risk vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access less-sensitive information. Examples include:\n* CSRF or similar attacks to make a user take an action they didn't intend, such as subscribing or unsubscribing to subreddits or voting on posts/comments.\n* Disclosing the titles of posts in private subreddits.\n* Removing a moderator from a subreddit where you are not a moderator with “access” permissions.\n* Unbanning a user that has been banned from a subreddit without appropriate permissions.\n* Open redirects\n\n## Low\nLow-risk vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn't, but with no serious security implications. Examples include:\n* Bypassing domain restrictions on posted content.\n* Forcing users to use or not use the redesign or other early-access features.\n* Disclosure of voting records for accounts without the public voting option enabled.\n* Password brute-forcing that circumvents rate limiting\n\n# Bounty Amounts\nThe upper limits on bounty for each bug class:\n\n| Critical | High | Medium | Low |\n|:--------:|:----:|:------:|:---:|\n|  $10,000  | $5,000  |  $500  | $100  |\n\nThese are guidelines and may be adjusted by Reddit at our own discretion. Note that mitigating factors such as rate limiting (if applicable), the limitations on what may be accessed and the sensitivity of the exposed data will be taken into account when determining bounties. Bounty payments will be made through the HackerOne platform.\n\n# Out-of-Scope\n\n## Reddit agnostic:\n* Attacks requiring physical access to, root privileges on, or MITM of a user's device.\n* Account Oracles - the ability to determine if an email address or username is in use.\n* Attacks targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.\n* Insecure cookie settings / flags on non-login cookies.\n* Missing HTTP security headers (CSP, HSTS, etc.).\n* Weak SSL/TLS/SSH algorithms or protocols.\n* Lack of certificate pinning (improper certificate validation still eligible)\n* CSRF with no security impact (unauthenticated/logout/login CSRF).\n* Best practices violations (password complexity, expiration, re-use, etc.).\n* Clickjacking on pages with no sensitive actions.\n* Component version disclosure without accompanying proof of vulnerability.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it's fair game.\n* Disclosure of internal tracebacks (unless sensitive environment data is also leaked).\n* Comma Separated Values (CSV) injection.\n* Reflected file download.\n* Content spoofing and text injection issues without being able to modify HTML/CSS.\n* Re-usage of passwords from public dumps.\n* Homograph links.\n* Mobile app crashes.\n* Tabnabbing / window.origin not being cleared on new tabs or windows\n* Deep links for Android missing autoVerify=true due to current Google limitation with AMP (may change in future)\n* XSS from copying/pasting in code into DevConsole or the like\n\n## Reddit specific:\n* Mobile app hardcoded secrets that are Sentry, Twitter, Crashlytics, Firebase, or Branch. On Dubsmash, the Kinesis AWS key is out of scope as it's non-vulnerable. \n* Commenting on removed / deleted posts (explicitly allowed unless a post is locked)\n* https://*.reddit.com/etc/passwd\n* Sessions not being invalidated on logout (they are invalidated on password change, 2FA being enabled, etc.).\n* Redress of subreddits with subreddit styles.\n* Bypassing rate-limits or the non-existence of rate-limits that have no platform impact. \n    Example: https://vpn.snooguts.net/login\n* Exposure of internal domains on public domains\n* Reddit.com password length issue (Reddit uses bcrypt which is capped at 72 characters) https://hackerone.com/reports/1168804\n\n## Denial of service attacks:\n* Just don’t, we’re busy enough keeping the site up\n\n## In-scope domains (inclusive of all subdomains):\n* reddit.com\n* snooguts.net\n* redd.it\n* redditblog.com\n* redditmedia.com\n* redditstatic.com\n* reddituploads.com\n* redditinc.com\n* reddithelp.com (limited)\n* 1st party Android and iOS apps for Reddit\n\n## Out-of-scope domains\nAny SaaS or other service provider not explicitly called out. If you think it’s something owned by Reddit, you can send it along - we’ll decide if it’s out-of-scope.\n\n# Confidentiality\n\nAny information you receive or collect about Reddit, Reddit’s systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.\n\n# Rights and Licenses\nWe may modify the Program Terms or cancel the Bug Bounty Program at any time.\n\nBy making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.\n\nBy making a Submission, you give us the right to use your Submission for any purpose.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-07-07T21:16:55.233Z"},{"id":3671361,"new_policy":"# Program Terms\n\nReddit’s responsible disclosure and bug bounty program is focused on protecting our users’ private data, accounts, and identities. The vast majority of data posted to Reddit every day is intended to be public, however Reddit does host private data including messages, chats, voting records for accounts without the public voting option enabled, subreddit subscriptions (when tied to a user), and (optional) email addresses.\n\nIn addition to user posted content, it is important that Reddit maintain the confidentiality of user identities and the integrity of discussions in Reddit’s communities and private spaces. It is with these things in mind that Reddit evaluates the impact and severity of each reported vulnerability.\n\nThe scope for Reddit’s program includes most of our assets—if it’s not explicitly out-of-scope, and has meaningful security impact, it’s fair game. This includes all subdomains of reddit.com and snooguts.net. \n\n# Good Faith\nTo be eligible to participate in Reddit’s bug bounty program we ask that all researchers act in good faith, which means: \n\n* Don’t try to access other users’ accounts or data — respect their privacy.\n* Don’t publicly disclose a vulnerability without Reddit’s explicit consent. \n* Don’t discuss vulnerability details with anyone other than Reddit staff before we can patch the vulnerability.\n* Don’t leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don’t identify the possibility yourself.\n* Don’t upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.\n* Don’t leave systems in a more vulnerable state.\n* Don’t take any action that could impact the performance or availability of Reddit.\n* Don’t make copies of Reddit's private production data as “proof”. The report should suffice as proof of impact.\n* Be respectful of our team.\n\nFailure to follow these rules will result in your reports being ineligible for bounty awards.\n\n# Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Eligibility to Participate\n\n* Must abide by Reddit’s User Agreement if testing with a Reddit account.\n* Must utilize HackerOne platform for all submissions to receive any payout, thereby abiding by HackerOne’s terms of service and privacy policy.\n* Reddit employees, contractors who are currently working with Reddit, or have worked with Reddit in the previous 6 months, or immediate family members of either are not eligible for bug bounties.\n\n# Report Quality\n\nReports are expected to be thorough and contain enough information that Reddit’s security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots are encouraged while videos are discouraged, unless necessary. Submissions should not consist solely of a video.\n\nReports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.\n\n# Severity Determination\nReddit uses a simple scale to determine severity. Reddit will categorize valid submissions in one of the following categories at its sole discretion. Vulnerabilities are primarily rated by their impact to the confidentiality of private user data and safety using the Reddit platform.\n\n## Critical\nCritical vulnerabilities are those that result in the bulk compromise of user data such as password hashes, private messages, private chats, and email addresses or the ability to bypass authentication and gain access to targeted accounts. Examples of critical vulnerabilities include:\n* Remote command execution\n* SQL Injection\n* Authentication bypass resulting in access to a user's account and private data.\n* Access to production secrets such as access tokens that can be used to copy sensitive data.\n* Elevating Reddit application privileges to admin.\n\n## High\nHigh-rated vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private groups or subreddits. Examples include:\n* Cross-site scripting (XSS)\n* Bypassing authorization to read or post to private subreddits.\n* CSRF or similar attacks provided they result in access to another user's account or data.\n* Bypassing two-factor authentication (2FA) in the Reddit application.\n* The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions.\n* Performing limited admin actions without authorization.\n* Ability to identify real users who are using Anonymous Browsing Mode (ABM) in native apps\n\n## Medium\nMedium-risk vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access less-sensitive information. Examples include:\n* CSRF or similar attacks to make a user take an action they didn't intend, such as subscribing or unsubscribing to subreddits or voting on posts/comments.\n* Disclosing the titles of posts in private subreddits.\n* Removing a moderator from a subreddit where you are not a moderator with “access” permissions.\n* Unbanning a user that has been banned from a subreddit without appropriate permissions.\n* Open redirects\n\n## Low\nLow-risk vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn't, but with no serious security implications. Examples include:\n* Bypassing domain restrictions on posted content.\n* Forcing users to use or not use the redesign or other early-access features.\n* Disclosure of voting records for accounts without the public voting option enabled.\n* Password brute-forcing that circumvents rate limiting\n\n# Bounty Amounts\nThe upper limits on bounty for each bug class:\n\n| Critical | High | Medium | Low |\n|:--------:|:----:|:------:|:---:|\n|  $10,000  | $5,000  |  $500  | $100  |\n\nThese are guidelines and may be adjusted by Reddit at our own discretion. Note that mitigating factors such as rate limiting (if applicable), the limitations on what may be accessed and the sensitivity of the exposed data will be taken into account when determining bounties. Bounty payments will be made through the HackerOne platform.\n\n# Out-of-Scope\n\n## Reddit agnostic:\n* Attacks requiring physical access to, root privileges on, or MITM of a user's device.\n* Account Oracles - the ability to determine if an email address or username is in use.\n* Attacks targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.\n* Insecure cookie settings / flags on non-login cookies.\n* Missing HTTP security headers (CSP, HSTS, etc.).\n* Weak SSL/TLS/SSH algorithms or protocols.\n* Lack of certificate pinning (improper certificate validation still eligible)\n* CSRF with no security impact (unauthenticated/logout/login CSRF).\n* Best practices violations (password complexity, expiration, re-use, etc.).\n* Clickjacking on pages with no sensitive actions.\n* Component version disclosure without accompanying proof of vulnerability.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it's fair game.\n* Disclosure of internal tracebacks (unless sensitive environment data is also leaked).\n* Comma Separated Values (CSV) injection.\n* Reflected file download.\n* Content spoofing and text injection issues without being able to modify HTML/CSS.\n* Re-usage of passwords from public dumps.\n* Homograph links.\n* Mobile app crashes.\n* Tabnabbing / window.origin not being cleared on new tabs or windows\n* Deep links for Android missing autoVerify=true due to current Google limitation with AMP (may change in future)\n* XSS from copying/pasting in code into DevConsole or the like\n\n## Reddit specific:\n* Mobile app hardcoded secrets that are Sentry, Twitter, Crashlytics, Firebase, or Branch. On Dubsmash, the Kinesis AWS key is out of scope as it's non-vulnerable. \n* Commenting on removed / deleted posts (explicitly allowed unless a post is locked)\n* https://*.reddit.com/etc/passwd\n* Sessions not being invalidated on logout (they are invalidated on password change, 2FA being enabled, etc.).\n* Redress of subreddits with subreddit styles.\n* Bypassing rate-limits or the non-existence of rate-limits that have no platform impact. \n    Example: https://vpn.snooguts.net/login\n* Exposure of internal domains on public domains\n* Reddit.com password length issue (Reddit uses bcrypt which is capped at 72 characters) https://hackerone.com/reports/1168804\n\n## Denial of service attacks:\n* Just don’t, we’re busy enough keeping the site up\n\n## In-scope domains (inclusive of all subdomains):\n* reddit.com\n* snooguts.net\n* redd.it\n* redditblog.com\n* redditmedia.com\n* redditstatic.com\n* reddituploads.com\n* redditinc.com\n* reddithelp.com (limited)\n* 1st party Android and iOS apps for Reddit\n\n## Out-of-scope domains\nAny SaaS or other service provider not explicitly called out. If you think it’s something owned by Reddit, you can send it along - we’ll decide if it’s out-of-scope.\n\n# Confidentiality\n\nAny information you receive or collect about Reddit, Reddit’s systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.\n\n# Rights and Licenses\nWe may modify the Program Terms or cancel the Bug Bounty Program at any time.\n\nBy making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.\n\nBy making a Submission, you give us the right to use your Submission for any purpose.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-05-13T17:47:09.503Z"},{"id":3669784,"new_policy":"# Program Terms\n\nReddit’s responsible disclosure and bug bounty program is focused on protecting our users’ private data, accounts, and identities. The vast majority of data posted to Reddit every day is intended to be public, however Reddit does host private data including messages, chats, voting records for accounts without the public voting option enabled, subreddit subscriptions (when tied to a user), and (optional) email addresses.\n\nIn addition to user posted content, it is important that Reddit maintain the confidentiality of user identities and the integrity of discussions in Reddit’s communities and private spaces. It is with these things in mind that Reddit evaluates the impact and severity of each reported vulnerability.\n\nThe scope for Reddit’s program includes most of our assets—if it’s not explicitly out-of-scope, and has meaningful security impact, it’s fair game. This includes all subdomains of reddit.com and snooguts.net. \n\n# Good Faith\nTo be eligible to participate in Reddit’s bug bounty program we ask that all researchers act in good faith, which means: \n\n* Don’t try to access other users’ accounts or data — respect their privacy.\n* Don’t publicly disclose a vulnerability without Reddit’s explicit consent. \n* Don’t discuss vulnerability details with anyone other than Reddit staff before we can patch the vulnerability.\n* Don’t leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don’t identify the possibility yourself.\n* Don’t upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.\n* Don’t leave systems in a more vulnerable state.\n* Don’t take any action that could impact the performance or availability of Reddit.\n* Don’t make copies of Reddit's private production data as “proof”. The report should suffice as proof of impact.\n* Be respectful of our team.\n\nFailure to follow these rules will result in your reports being ineligible for bounty awards.\n\n# Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Eligibility to Participate\n\n* Must abide by Reddit’s User Agreement if testing with a Reddit account.\n* Must utilize HackerOne platform for all submissions to receive any payout, thereby abiding by HackerOne’s terms of service and privacy policy.\n* Reddit employees, contractors who are currently working with Reddit, or have worked with Reddit in the previous 6 months, or immediate family members of either are not eligible for bug bounties.\n\n# Report Quality\n\nReports are expected to be thorough and contain enough information that Reddit’s security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots are encouraged while videos are discouraged, unless necessary. Submissions should not consist solely of a video.\n\nReports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.\n\n# Severity Determination\nReddit uses a simple scale to determine severity. Reddit will categorize valid submissions in one of the following categories at its sole discretion. Vulnerabilities are primarily rated by their impact to the confidentiality of private user data and safety using the Reddit platform.\n\n## Critical\nCritical vulnerabilities are those that result in the bulk compromise of user data such as password hashes, private messages, private chats, and email addresses or the ability to bypass authentication and gain access to targeted accounts. Examples of critical vulnerabilities include:\n* Remote command execution\n* SQL Injection\n* Authentication bypass resulting in access to a user's account and private data.\n* Access to production secrets such as access tokens that can be used to copy sensitive data.\n* Elevating Reddit application privileges to admin.\n\n## High\nHigh-rated vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private groups or subreddits. Examples include:\n* Cross-site scripting (XSS)\n* Bypassing authorization to read or post to private subreddits.\n* CSRF or similar attacks provided they result in access to another user's account or data.\n* Bypassing two-factor authentication (2FA) in the Reddit application.\n* The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions.\n* Performing limited admin actions without authorization.\n* Ability to identify real users who are using Anonymous Browsing Mode (ABM) in native apps\n\n## Medium\nMedium-risk vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access less-sensitive information. Examples include:\n* CSRF or similar attacks to make a user take an action they didn't intend, such as subscribing or unsubscribing to subreddits or voting on posts/comments.\n* Disclosing the titles of posts in private subreddits.\n* Removing a moderator from a subreddit where you are not a moderator with “access” permissions.\n* Unbanning a user that has been banned from a subreddit without appropriate permissions.\n* Open redirects\n\n## Low\nLow-risk vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn't, but with no serious security implications. Examples include:\n* Bypassing domain restrictions on posted content.\n* Forcing users to use or not use the redesign or other early-access features.\n* Disclosure of voting records for accounts without the public voting option enabled.\n* Password brute-forcing that circumvents rate limiting\n\n# Bounty Amounts\nThe upper limits on bounty for each bug class:\n\n| Critical | High | Medium | Low |\n|:--------:|:----:|:------:|:---:|\n|  $10,000  | $5,000  |  $500  | $100  |\n\nThese are guidelines and may be adjusted by Reddit at our own discretion. Note that mitigating factors such as rate limiting (if applicable), the limitations on what may be accessed and the sensitivity of the exposed data will be taken into account when determining bounties. Bounty payments will be made through the HackerOne platform.\n\n# Out-of-Scope\n\n## Reddit agnostic:\n* Attacks requiring physical access to, root privileges on, or MITM of a user's device.\n* Account Oracles - the ability to determine if an email address or username is in use.\n* Attacks targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.\n* Insecure cookie settings / flags on non-login cookies.\n* Missing HTTP security headers (CSP, HSTS, etc.).\n* Weak SSL/TLS/SSH algorithms or protocols.\n* Lack of certificate pinning (improper certificate validation still eligible)\n* CSRF with no security impact (unauthenticated/logout/login CSRF).\n* Best practices violations (password complexity, expiration, re-use, etc.).\n* Clickjacking on pages with no sensitive actions.\n* Component version disclosure without accompanying proof of vulnerability.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it's fair game.\n* Disclosure of internal tracebacks (unless sensitive environment data is also leaked).\n* Comma Separated Values (CSV) injection.\n* Reflected file download.\n* Content spoofing and text injection issues without being able to modify HTML/CSS.\n* Re-usage of passwords from public dumps.\n* Homograph links.\n* Mobile app crashes.\n* Tabnabbing / window.origin not being cleared on new tabs or windows\n* Deep links for Android missing autoVerify=true due to current Google limitation with AMP (may change in future)\n* XSS from copying/pasting in code into DevConsole or the like\n\n## Reddit specific:\n* Mobile app hardcoded secrets that are Sentry, Twitter, Crashlytics, Firebase, or Branch. On Dubsmash, the Kinesis AWS key is out of scope as it's non-vulnerable. \n* Commenting on removed / deleted posts (explicitly allowed unless a post is locked)\n* https://*.reddit.com/etc/passwd\n* Sessions not being invalidated on logout (they are invalidated on password change, 2FA being enabled, etc.).\n* Redress of subreddits with subreddit styles.\n* Bypassing rate-limits or the non-existence of rate-limits that have no platform impact.\n* Exposure of internal domains on public domains\n* Reddit.com password length issue (Reddit uses bcrypt which is capped at 72 characters) https://hackerone.com/reports/1168804\n\n## Denial of service attacks:\n* Just don’t, we’re busy enough keeping the site up\n\n## In-scope domains (inclusive of all subdomains):\n* reddit.com\n* snooguts.net\n* redd.it\n* redditblog.com\n* redditmedia.com\n* redditstatic.com\n* reddituploads.com\n* redditinc.com\n* reddithelp.com (limited)\n* 1st party Android and iOS apps for Reddit\n\n## Out-of-scope domains\nAny SaaS or other service provider not explicitly called out. If you think it’s something owned by Reddit, you can send it along - we’ll decide if it’s out-of-scope.\n\n# Confidentiality\n\nAny information you receive or collect about Reddit, Reddit’s systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.\n\n# Rights and Licenses\nWe may modify the Program Terms or cancel the Bug Bounty Program at any time.\n\nBy making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.\n\nBy making a Submission, you give us the right to use your Submission for any purpose.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-04-18T18:03:21.517Z"},{"id":3668196,"new_policy":"#We are running a Promotion!\n \nPromotion Start Date: 03/09/2022 - 12:00 AM PST\nPromotion End Date: 03/24/2022 - 11:59 PM PST\n\nWe are excited to announce that the New Mod Notes feature is now available for testing.\n\nWe are offering bonuses in addition to the standard payouts for all valid reports on the New Mod Notes feature.\nMod Notes Feature announcement -- https://new.reddit.com/r/modnews/comments/t8vafc/announcing_mod_notes/\nAPI's  --  https://www.reddit.com/dev/api#DELETE_api_mod_notes\n \nCritical = $1000 Bonus\nHigh = $1000 Bonus\nMedium = $500 Bonus\nLow = $500 Bonus\n\nHappy hacking!\nReddit Inc.\n\n\n# Program Terms\n\nReddit’s responsible disclosure and bug bounty program is focused on protecting our users’ private data, accounts, and identities. The vast majority of data posted to Reddit every day is intended to be public, however Reddit does host private data including messages, chats, voting records for accounts without the public voting option enabled, subreddit subscriptions (when tied to a user), and (optional) email addresses.\n\nIn addition to user posted content, it is important that Reddit maintain the confidentiality of user identities and the integrity of discussions in Reddit’s communities and private spaces. It is with these things in mind that Reddit evaluates the impact and severity of each reported vulnerability.\n\nThe scope for Reddit’s program includes most of our assets—if it’s not explicitly out-of-scope, and has meaningful security impact, it’s fair game. This includes all subdomains of reddit.com and snooguts.net. \n\n# Good Faith\nTo be eligible to participate in Reddit’s bug bounty program we ask that all researchers act in good faith, which means: \n\n* Don’t try to access other users’ accounts or data — respect their privacy.\n* Don’t publicly disclose a vulnerability without Reddit’s explicit consent. \n* Don’t discuss vulnerability details with anyone other than Reddit staff before we can patch the vulnerability.\n* Don’t leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don’t identify the possibility yourself.\n* Don’t upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.\n* Don’t leave systems in a more vulnerable state.\n* Don’t take any action that could impact the performance or availability of Reddit.\n* Don’t make copies of Reddit's private production data as “proof”. The report should suffice as proof of impact.\n* Be respectful of our team.\n\nFailure to follow these rules will result in your reports being ineligible for bounty awards.\n\n# Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Eligibility to Participate\n\n* Must abide by Reddit’s User Agreement if testing with a Reddit account.\n* Must utilize HackerOne platform for all submissions to receive any payout, thereby abiding by HackerOne’s terms of service and privacy policy.\n* Reddit employees, contractors who are currently working with Reddit, or have worked with Reddit in the previous 6 months, or immediate family members of either are not eligible for bug bounties.\n\n# Report Quality\n\nReports are expected to be thorough and contain enough information that Reddit’s security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots are encouraged while videos are discouraged, unless necessary. Submissions should not consist solely of a video.\n\nReports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.\n\n# Severity Determination\nReddit uses a simple scale to determine severity. Reddit will categorize valid submissions in one of the following categories at its sole discretion. Vulnerabilities are primarily rated by their impact to the confidentiality of private user data and safety using the Reddit platform.\n\n## Critical\nCritical vulnerabilities are those that result in the bulk compromise of user data such as password hashes, private messages, private chats, and email addresses or the ability to bypass authentication and gain access to targeted accounts. Examples of critical vulnerabilities include:\n* Remote command execution\n* SQL Injection\n* Authentication bypass resulting in access to a user's account and private data.\n* Access to production secrets such as access tokens that can be used to copy sensitive data.\n* Elevating Reddit application privileges to admin.\n\n## High\nHigh-rated vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private groups or subreddits. Examples include:\n* Cross-site scripting (XSS)\n* Bypassing authorization to read or post to private subreddits.\n* CSRF or similar attacks provided they result in access to another user's account or data.\n* Bypassing two-factor authentication (2FA) in the Reddit application.\n* The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions.\n* Performing limited admin actions without authorization.\n* Ability to identify real users who are using Anonymous Browsing Mode (ABM) in native apps\n\n## Medium\nMedium-risk vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access less-sensitive information. Examples include:\n* CSRF or similar attacks to make a user take an action they didn't intend, such as subscribing or unsubscribing to subreddits or voting on posts/comments.\n* Disclosing the titles of posts in private subreddits.\n* Removing a moderator from a subreddit where you are not a moderator with “access” permissions.\n* Unbanning a user that has been banned from a subreddit without appropriate permissions.\n* Open redirects\n\n## Low\nLow-risk vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn't, but with no serious security implications. Examples include:\n* Bypassing domain restrictions on posted content.\n* Forcing users to use or not use the redesign or other early-access features.\n* Disclosure of voting records for accounts without the public voting option enabled.\n* Password brute-forcing that circumvents rate limiting\n\n# Bounty Amounts\nThe upper limits on bounty for each bug class:\n\n| Critical | High | Medium | Low |\n|:--------:|:----:|:------:|:---:|\n|  $10,000  | $5,000  |  $500  | $100  |\n\nThese are guidelines and may be adjusted by Reddit at our own discretion. Note that mitigating factors such as rate limiting (if applicable), the limitations on what may be accessed and the sensitivity of the exposed data will be taken into account when determining bounties. Bounty payments will be made through the HackerOne platform.\n\n# Out-of-Scope\n\n## Reddit agnostic:\n* Attacks requiring physical access to, root privileges on, or MITM of a user's device.\n* Account Oracles - the ability to determine if an email address or username is in use.\n* Attacks targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.\n* Insecure cookie settings / flags on non-login cookies.\n* Missing HTTP security headers (CSP, HSTS, etc.).\n* Weak SSL/TLS/SSH algorithms or protocols.\n* Lack of certificate pinning (improper certificate validation still eligible)\n* CSRF with no security impact (unauthenticated/logout/login CSRF).\n* Best practices violations (password complexity, expiration, re-use, etc.).\n* Clickjacking on pages with no sensitive actions.\n* Component version disclosure without accompanying proof of vulnerability.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it's fair game.\n* Disclosure of internal tracebacks (unless sensitive environment data is also leaked).\n* Comma Separated Values (CSV) injection.\n* Reflected file download.\n* Content spoofing and text injection issues without being able to modify HTML/CSS.\n* Re-usage of passwords from public dumps.\n* Homograph links.\n* Mobile app crashes.\n* Tabnabbing / window.origin not being cleared on new tabs or windows\n* Deep links for Android missing autoVerify=true due to current Google limitation with AMP (may change in future)\n* XSS from copying/pasting in code into DevConsole or the like\n\n## Reddit specific:\n* Mobile app hardcoded secrets that are Sentry, Twitter, Crashlytics, Firebase, or Branch. On Dubsmash, the Kinesis AWS key is out of scope as it's non-vulnerable. \n* Commenting on removed / deleted posts (explicitly allowed unless a post is locked)\n* https://*.reddit.com/etc/passwd\n* Sessions not being invalidated on logout (they are invalidated on password change, 2FA being enabled, etc.).\n* Redress of subreddits with subreddit styles.\n* Bypassing rate-limits or the non-existence of rate-limits that have no platform impact.\n* Exposure of internal domains on public domains\n* Reddit.com password length issue (Reddit uses bcrypt which is capped at 72 characters) https://hackerone.com/reports/1168804\n\n## Denial of service attacks:\n* Just don’t, we’re busy enough keeping the site up\n\n## In-scope domains (inclusive of all subdomains):\n* reddit.com\n* snooguts.net\n* redd.it\n* redditblog.com\n* redditmedia.com\n* redditstatic.com\n* reddituploads.com\n* redditinc.com\n* reddithelp.com (limited)\n* 1st party Android and iOS apps for Reddit\n\n## Out-of-scope domains\nAny SaaS or other service provider not explicitly called out. If you think it’s something owned by Reddit, you can send it along - we’ll decide if it’s out-of-scope.\n\n# Confidentiality\n\nAny information you receive or collect about Reddit, Reddit’s systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.\n\n# Rights and Licenses\nWe may modify the Program Terms or cancel the Bug Bounty Program at any time.\n\nBy making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.\n\nBy making a Submission, you give us the right to use your Submission for any purpose.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-03-17T21:42:54.887Z"},{"id":3667863,"new_policy":"#We are running a Promotion!\n \nPromotion Start Date: 03/09/2022 - 12:00 AM PST\nPromotion End Date: 03/24/2022 - 11:59 PM PST\n\nWe are excited to announce that the New Mod Notes feature is now available for testing.\n\nWe are offering bonuses in addition to the standard payouts for all valid reports on the New Mod Notes feature.\nMod Notes Feature announcement -- https://new.reddit.com/r/modnews/comments/t8vafc/announcing_mod_notes/\nAPI's  --  https://www.reddit.com/dev/api#DELETE_api_mod_notes\n \nCritical = $1000 Bonus\nHigh = $1000 Bonus\nMedium = $500 Bonus\nLow = $500 Bonus\n\nHappy hacking!\nReddit Inc.\n\n\n# Program Terms\n\nReddit’s responsible disclosure and bug bounty program is focused on protecting our users’ private data, accounts, and identities. The vast majority of data posted to Reddit every day is intended to be public, however Reddit does host private data including messages, chats, voting records for accounts without the public voting option enabled, subreddit subscriptions (when tied to a user), and (optional) email addresses.\n\nIn addition to user posted content, it is important that Reddit maintain the confidentiality of user identities and the integrity of discussions in Reddit’s communities and private spaces. It is with these things in mind that Reddit evaluates the impact and severity of each reported vulnerability.\n\nThe scope for Reddit’s program includes most of our assets—if it’s not explicitly out-of-scope, and has meaningful security impact, it’s fair game. This includes all subdomains of reddit.com and snooguts.net. \n\n# Good Faith\nTo be eligible to participate in Reddit’s bug bounty program we ask that all researchers act in good faith, which means: \n\n* Don’t try to access other users’ accounts or data — respect their privacy.\n* Don’t publicly disclose a vulnerability without Reddit’s explicit consent. \n* Don’t discuss vulnerability details with anyone other than Reddit staff before we can patch the vulnerability.\n* Don’t leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don’t identify the possibility yourself.\n* Don’t upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.\n* Don’t leave systems in a more vulnerable state.\n* Don’t take any action that could impact the performance or availability of Reddit.\n* Don’t make copies of Reddit's private production data as “proof”. The report should suffice as proof of impact.\n* Be respectful of our team.\n\nFailure to follow these rules will result in your reports being ineligible for bounty awards.\n\n# Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Eligibility to Participate\n\n* Must abide by Reddit’s User Agreement if testing with a Reddit account.\n* Must utilize HackerOne platform for all submissions to receive any payout, thereby abiding by HackerOne’s terms of service and privacy policy.\n* Reddit employees, contractors who are currently working with Reddit, or have worked with Reddit in the previous 6 months, or immediate family members of either are not eligible for bug bounties.\n\n# Report Quality\n\nReports are expected to be thorough and contain enough information that Reddit’s security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots are encouraged while videos are discouraged, unless necessary. Submissions should not consist solely of a video.\n\nReports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.\n\n# Severity Determination\nReddit uses a simple scale to determine severity. Reddit will categorize valid submissions in one of the following categories at its sole discretion. Vulnerabilities are primarily rated by their impact to the confidentiality of private user data and safety using the Reddit platform.\n\n## Critical\nCritical vulnerabilities are those that result in the bulk compromise of user data such as password hashes, private messages, private chats, and email addresses or the ability to bypass authentication and gain access to targeted accounts. Examples of critical vulnerabilities include:\n* Remote command execution\n* SQL Injection\n* Authentication bypass resulting in access to a user's account and private data.\n* Access to production secrets such as access tokens that can be used to copy sensitive data.\n* Elevating Reddit application privileges to admin.\n\n## High\nHigh-rated vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private groups or subreddits. Examples include:\n* Cross-site scripting (XSS)\n* Bypassing authorization to read or post to private subreddits.\n* CSRF or similar attacks provided they result in access to another user's account or data.\n* Bypassing two-factor authentication (2FA) in the Reddit application.\n* The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions.\n* Performing limited admin actions without authorization.\n* Ability to identify real users when switching into and using Anonymous Browsing Mode (ABM) in native apps\n\n## Medium\nMedium-risk vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access less-sensitive information. Examples include:\n* CSRF or similar attacks to make a user take an action they didn't intend, such as subscribing or unsubscribing to subreddits or voting on posts/comments.\n* Disclosing the titles of posts in private subreddits.\n* Removing a moderator from a subreddit where you are not a moderator with “access” permissions.\n* Unbanning a user that has been banned from a subreddit without appropriate permissions.\n* Open redirects\n\n## Low\nLow-risk vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn't, but with no serious security implications. Examples include:\n* Bypassing domain restrictions on posted content.\n* Forcing users to use or not use the redesign or other early-access features.\n* Disclosure of voting records for accounts without the public voting option enabled.\n* Password brute-forcing that circumvents rate limiting\n\n# Bounty Amounts\nThe upper limits on bounty for each bug class:\n\n| Critical | High | Medium | Low |\n|:--------:|:----:|:------:|:---:|\n|  $10,000  | $5,000  |  $500  | $100  |\n\nThese are guidelines and may be adjusted by Reddit at our own discretion. Note that mitigating factors such as rate limiting (if applicable), the limitations on what may be accessed and the sensitivity of the exposed data will be taken into account when determining bounties. Bounty payments will be made through the HackerOne platform.\n\n# Out-of-Scope\n\n## Reddit agnostic:\n* Attacks requiring physical access to, root privileges on, or MITM of a user's device.\n* Account Oracles - the ability to determine if an email address or username is in use.\n* Attacks targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.\n* Insecure cookie settings / flags on non-login cookies.\n* Missing HTTP security headers (CSP, HSTS, etc.).\n* Weak SSL/TLS/SSH algorithms or protocols.\n* Lack of certificate pinning (improper certificate validation still eligible)\n* CSRF with no security impact (unauthenticated/logout/login CSRF).\n* Best practices violations (password complexity, expiration, re-use, etc.).\n* Clickjacking on pages with no sensitive actions.\n* Component version disclosure without accompanying proof of vulnerability.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it's fair game.\n* Disclosure of internal tracebacks (unless sensitive environment data is also leaked).\n* Comma Separated Values (CSV) injection.\n* Reflected file download.\n* Content spoofing and text injection issues without being able to modify HTML/CSS.\n* Re-usage of passwords from public dumps.\n* Homograph links.\n* Mobile app crashes.\n* Tabnabbing / window.origin not being cleared on new tabs or windows\n* Deep links for Android missing autoVerify=true due to current Google limitation with AMP (may change in future)\n* XSS from copying/pasting in code into DevConsole or the like\n\n## Reddit specific:\n* Mobile app hardcoded secrets that are Sentry, Twitter, Crashlytics, Firebase, or Branch. On Dubsmash, the Kinesis AWS key is out of scope as it's non-vulnerable. \n* Commenting on removed / deleted posts (explicitly allowed unless a post is locked)\n* https://*.reddit.com/etc/passwd\n* Sessions not being invalidated on logout (they are invalidated on password change, 2FA being enabled, etc.).\n* Redress of subreddits with subreddit styles.\n* Bypassing rate-limits or the non-existence of rate-limits that have no platform impact.\n* Exposure of internal domains on public domains\n* Reddit.com password length issue (Reddit uses bcrypt which is capped at 72 characters) https://hackerone.com/reports/1168804\n\n## Denial of service attacks:\n* Just don’t, we’re busy enough keeping the site up\n\n## In-scope domains (inclusive of all subdomains):\n* reddit.com\n* snooguts.net\n* redd.it\n* redditblog.com\n* redditmedia.com\n* redditstatic.com\n* reddituploads.com\n* redditinc.com\n* reddithelp.com (limited)\n* 1st party Android and iOS apps for Reddit\n\n## Out-of-scope domains\nAny SaaS or other service provider not explicitly called out. If you think it’s something owned by Reddit, you can send it along - we’ll decide if it’s out-of-scope.\n\n# Confidentiality\n\nAny information you receive or collect about Reddit, Reddit’s systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.\n\n# Rights and Licenses\nWe may modify the Program Terms or cancel the Bug Bounty Program at any time.\n\nBy making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.\n\nBy making a Submission, you give us the right to use your Submission for any purpose.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-03-09T19:50:23.086Z"},{"id":3666380,"new_policy":"# Program Terms\n\nReddit’s responsible disclosure and bug bounty program is focused on protecting our users’ private data, accounts, and identities. The vast majority of data posted to Reddit every day is intended to be public, however Reddit does host private data including messages, chats, voting records for accounts without the public voting option enabled, subreddit subscriptions (when tied to a user), and (optional) email addresses.\n\nIn addition to user posted content, it is important that Reddit maintain the confidentiality of user identities and the integrity of discussions in Reddit’s communities and private spaces. It is with these things in mind that Reddit evaluates the impact and severity of each reported vulnerability.\n\nThe scope for Reddit’s program includes most of our assets—if it’s not explicitly out-of-scope, and has meaningful security impact, it’s fair game. This includes all subdomains of reddit.com and snooguts.net. \n\n# Good Faith\nTo be eligible to participate in Reddit’s bug bounty program we ask that all researchers act in good faith, which means: \n\n* Don’t try to access other users’ accounts or data — respect their privacy.\n* Don’t publicly disclose a vulnerability without Reddit’s explicit consent. \n* Don’t discuss vulnerability details with anyone other than Reddit staff before we can patch the vulnerability.\n* Don’t leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don’t identify the possibility yourself.\n* Don’t upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.\n* Don’t leave systems in a more vulnerable state.\n* Don’t take any action that could impact the performance or availability of Reddit.\n* Don’t make copies of Reddit's private production data as “proof”. The report should suffice as proof of impact.\n* Be respectful of our team.\n\nFailure to follow these rules will result in your reports being ineligible for bounty awards.\n\n# Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Eligibility to Participate\n\n* Must abide by Reddit’s User Agreement if testing with a Reddit account.\n* Must utilize HackerOne platform for all submissions to receive any payout, thereby abiding by HackerOne’s terms of service and privacy policy.\n* Reddit employees, contractors who are currently working with Reddit, or have worked with Reddit in the previous 6 months, or immediate family members of either are not eligible for bug bounties.\n\n# Report Quality\n\nReports are expected to be thorough and contain enough information that Reddit’s security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots are encouraged while videos are discouraged, unless necessary. Submissions should not consist solely of a video.\n\nReports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.\n\n# Severity Determination\nReddit uses a simple scale to determine severity. Reddit will categorize valid submissions in one of the following categories at its sole discretion. Vulnerabilities are primarily rated by their impact to the confidentiality of private user data and safety using the Reddit platform.\n\n## Critical\nCritical vulnerabilities are those that result in the bulk compromise of user data such as password hashes, private messages, private chats, and email addresses or the ability to bypass authentication and gain access to targeted accounts. Examples of critical vulnerabilities include:\n* Remote command execution\n* SQL Injection\n* Authentication bypass resulting in access to a user's account and private data.\n* Access to production secrets such as access tokens that can be used to copy sensitive data.\n* Elevating Reddit application privileges to admin.\n\n## High\nHigh-rated vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private groups or subreddits. Examples include:\n* Cross-site scripting (XSS)\n* Bypassing authorization to read or post to private subreddits.\n* CSRF or similar attacks provided they result in access to another user's account or data.\n* Bypassing two-factor authentication (2FA) in the Reddit application.\n* The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions.\n* Performing limited admin actions without authorization.\n* Ability to identify real users when switching into and using Anonymous Browsing Mode (ABM) in native apps\n\n## Medium\nMedium-risk vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access less-sensitive information. Examples include:\n* CSRF or similar attacks to make a user take an action they didn't intend, such as subscribing or unsubscribing to subreddits or voting on posts/comments.\n* Disclosing the titles of posts in private subreddits.\n* Removing a moderator from a subreddit where you are not a moderator with “access” permissions.\n* Unbanning a user that has been banned from a subreddit without appropriate permissions.\n* Open redirects\n\n## Low\nLow-risk vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn't, but with no serious security implications. Examples include:\n* Bypassing domain restrictions on posted content.\n* Forcing users to use or not use the redesign or other early-access features.\n* Disclosure of voting records for accounts without the public voting option enabled.\n* Password brute-forcing that circumvents rate limiting\n\n# Bounty Amounts\nThe upper limits on bounty for each bug class:\n\n| Critical | High | Medium | Low |\n|:--------:|:----:|:------:|:---:|\n|  $10,000  | $5,000  |  $500  | $100  |\n\nThese are guidelines and may be adjusted by Reddit at our own discretion. Note that mitigating factors such as rate limiting (if applicable), the limitations on what may be accessed and the sensitivity of the exposed data will be taken into account when determining bounties. Bounty payments will be made through the HackerOne platform.\n\n# Out-of-Scope\n\n## Reddit agnostic:\n* Attacks requiring physical access to, root privileges on, or MITM of a user's device.\n* Account Oracles - the ability to determine if an email address or username is in use.\n* Attacks targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.\n* Insecure cookie settings / flags on non-login cookies.\n* Missing HTTP security headers (CSP, HSTS, etc.).\n* Weak SSL/TLS/SSH algorithms or protocols.\n* Lack of certificate pinning (improper certificate validation still eligible)\n* CSRF with no security impact (unauthenticated/logout/login CSRF).\n* Best practices violations (password complexity, expiration, re-use, etc.).\n* Clickjacking on pages with no sensitive actions.\n* Component version disclosure without accompanying proof of vulnerability.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it's fair game.\n* Disclosure of internal tracebacks (unless sensitive environment data is also leaked).\n* Comma Separated Values (CSV) injection.\n* Reflected file download.\n* Content spoofing and text injection issues without being able to modify HTML/CSS.\n* Re-usage of passwords from public dumps.\n* Homograph links.\n* Mobile app crashes.\n* Tabnabbing / window.origin not being cleared on new tabs or windows\n* Deep links for Android missing autoVerify=true due to current Google limitation with AMP (may change in future)\n* XSS from copying/pasting in code into DevConsole or the like\n\n## Reddit specific:\n* Mobile app hardcoded secrets that are Sentry, Twitter, Crashlytics, Firebase, or Branch. On Dubsmash, the Kinesis AWS key is out of scope as it's non-vulnerable. \n* Commenting on removed / deleted posts (explicitly allowed unless a post is locked)\n* https://*.reddit.com/etc/passwd\n* Sessions not being invalidated on logout (they are invalidated on password change, 2FA being enabled, etc.).\n* Redress of subreddits with subreddit styles.\n* Bypassing rate-limits or the non-existence of rate-limits that have no platform impact.\n* Exposure of internal domains on public domains\n* Reddit.com password length issue (Reddit uses bcrypt which is capped at 72 characters) https://hackerone.com/reports/1168804\n\n## Denial of service attacks:\n* Just don’t, we’re busy enough keeping the site up\n\n## In-scope domains (inclusive of all subdomains):\n* reddit.com\n* snooguts.net\n* redd.it\n* redditblog.com\n* redditmedia.com\n* redditstatic.com\n* reddituploads.com\n* redditinc.com\n* reddithelp.com (limited)\n* 1st party Android and iOS apps for Reddit\n\n## Out-of-scope domains\nAny SaaS or other service provider not explicitly called out. If you think it’s something owned by Reddit, you can send it along - we’ll decide if it’s out-of-scope.\n\n# Confidentiality\n\nAny information you receive or collect about Reddit, Reddit’s systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.\n\n# Rights and Licenses\nWe may modify the Program Terms or cancel the Bug Bounty Program at any time.\n\nBy making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.\n\nBy making a Submission, you give us the right to use your Submission for any purpose.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-11T15:08:12.342Z"},{"id":3666199,"new_policy":"# Program Terms\n\nReddit’s responsible disclosure and bug bounty program is focused on protecting our users’ private data, accounts, and identities. The vast majority of data posted to Reddit every day is intended to be public, however Reddit does host private data including messages, chats, voting records for accounts without the public voting option enabled, subreddit subscriptions (when tied to a user), and (optional) email addresses.\n\nIn addition to user posted content, it is important that Reddit maintain the confidentiality of user identities and the integrity of discussions in Reddit’s communities and private spaces. It is with these things in mind that Reddit evaluates the impact and severity of each reported vulnerability.\n\nThe scope for Reddit’s program includes most of our assets—if it’s not explicitly out-of-scope, and has meaningful security impact, it’s fair game. This includes all subdomains of reddit.com and snooguts.net. \n\n# Good Faith\nTo be eligible to participate in Reddit’s bug bounty program we ask that all researchers act in good faith, which means: \n\n* Don’t try to access other users’ accounts or data — respect their privacy.\n* Don’t publicly disclose a vulnerability without Reddit’s explicit consent. \n* Don’t discuss vulnerability details with anyone other than Reddit staff before we can patch the vulnerability.\n* Don’t leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don’t identify the possibility yourself.\n* Don’t upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.\n* Don’t leave systems in a more vulnerable state.\n* Don’t take any action that could impact the performance or availability of Reddit.\n* Don’t make copies of Reddit's private production data as “proof”. The report should suffice as proof of impact.\n* Be respectful of our team.\n\nFailure to follow these rules will result in your reports being ineligible for bounty awards.\n\n# Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Eligibility to Participate\n\n* Must abide by Reddit’s User Agreement if testing with a Reddit account.\n* Must utilize HackerOne platform for all submissions to receive any payout, thereby abiding by HackerOne’s terms of service and privacy policy.\n* Reddit employees, contractors who are currently working with Reddit, or have worked with Reddit in the previous 6 months, or immediate family members of either are not eligible for bug bounties.\n\n# Report Quality\n\nReports are expected to be thorough and contain enough information that Reddit’s security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots are encouraged while videos are discouraged, unless necessary. Submissions should not consist solely of a video.\n\nReports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.\n\n# Severity Determination\nReddit uses a simple scale to determine severity. Reddit will categorize valid submissions in one of the following categories at its sole discretion. Vulnerabilities are primarily rated by their impact to the confidentiality of private user data and safety using the Reddit platform.\n\n## Critical\nCritical vulnerabilities are those that result in the bulk compromise of user data such as password hashes, private messages, private chats, and email addresses or the ability to bypass authentication and gain access to targeted accounts. Examples of critical vulnerabilities include:\n* Remote command execution\n* SQL Injection\n* Authentication bypass resulting in access to a user's account and private data.\n* Access to production secrets such as access tokens that can be used to copy sensitive data.\n* Elevating Reddit application privileges to admin.\n\n## High\nHigh-rated vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private groups or subreddits. Examples include:\n* Cross-site scripting (XSS)\n* Bypassing authorization to read or post to private subreddits.\n* CSRF or similar attacks provided they result in access to another user's account or data.\n* Bypassing two-factor authentication (2FA) in the Reddit application.\n* The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions.\n* Performing limited admin actions without authorization.\n* Ability to identify real users when switching into and using Anonymous Browsing Mode (ABM) in native apps\n\n## Medium\nMedium-risk vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access less-sensitive information. Examples include:\n* CSRF or similar attacks to make a user take an action they didn't intend, such as subscribing or unsubscribing to subreddits or voting on posts/comments.\n* Disclosing the titles of posts in private subreddits.\n* Removing a moderator from a subreddit where you are not a moderator with “access” permissions.\n* Unbanning a user that has been banned from a subreddit without appropriate permissions.\n* Open redirects\n\n## Low\nLow-risk vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn't, but with no serious security implications. Examples include:\n* Bypassing domain restrictions on posted content.\n* Forcing users to use or not use the redesign or other early-access features.\n* Disclosure of voting records for accounts without the public voting option enabled.\n* Password brute-forcing that circumvents rate limiting\n\n# Bounty Amounts\nThe upper limits on bounty for each bug class:\n\n| Critical | High | Medium | Low |\n|:--------:|:----:|:------:|:---:|\n|  $10,000  | $5,000  |  $500  | $100  |\n\nThese are guidelines and may be adjusted by Reddit at our own discretion. Note that mitigating factors such as rate limiting (if applicable), the limitations on what may be accessed and the sensitivity of the exposed data will be taken into account when determining bounties. Bounty payments will be made through the HackerOne platform.\n\n# Out-of-Scope\n\n## Reddit agnostic:\n* Attacks requiring physical access to, root privileges on, or MITM of a user's device.\n* Account Oracles - the ability to determine if an email address or username is in use.\n* Attacks targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.\n* Insecure cookie settings / flags on non-login cookies.\n* Missing HTTP security headers (CSP, HSTS, etc.).\n* Weak SSL/TLS/SSH algorithms or protocols.\n* Lack of certificate pinning (improper certificate validation still eligible)\n* CSRF with no security impact (unauthenticated/logout/login CSRF).\n* Best practices violations (password complexity, expiration, re-use, etc.).\n* Clickjacking on pages with no sensitive actions.\n* Component version disclosure without accompanying proof of vulnerability.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it's fair game.\n* Disclosure of internal tracebacks (unless sensitive environment data is also leaked).\n* Comma Separated Values (CSV) injection.\n* Reflected file download.\n* Content spoofing and text injection issues without being able to modify HTML/CSS.\n* Re-usage of passwords from public dumps.\n* Homograph links.\n* Mobile app crashes.\n* Tabnabbing / window.origin not being cleared on new tabs or windows\n* Deep links for Android missing autoVerify=true due to current Google limitation with AMP (may change in future)\n* XSS from copying/pasting in code into DevConsole or the like\n\n## Reddit specific:\n* Mobile app hardcoded secrets that are Sentry, Twitter, Crashlytics, Firebase, or Branch. On Dubsmash, the Kinesis AWS key is out of scope as it's non-vulnerable. \n* Commenting on removed / deleted posts (explicitly allowed unless a post is locked)\n* https://*.reddit.com/etc/passwd\n* Sessions not being invalidated on logout (they are invalidated on password change, 2FA being enabled, etc.).\n* Redress of subreddits with subreddit styles.\n* Bypassing rate-limits or the non-existence of rate-limits that have no platform impact.\n* Exposure of internal domains on public domains\n* Reddit.com password length issue (Reddit uses bcrypt which is capped at 72 characters) https://hackerone.com/reports/1168804\n\n## Denial of service attacks:\n* Just don’t, we’re busy enough keeping the site up\n\n## In-scope domains (inclusive of all subdomains):\n* reddit.com\n* snooguts.net\n* redd.it\n* redditblog.com\n* redditmedia.com\n* redditstatic.com\n* redditgifts.com\n* reddituploads.com\n* redditinc.com\n* reddithelp.com (limited)\n* 1st party Android and iOS apps for Reddit\n\n## Out-of-scope domains\nAny SaaS or other service provider not explicitly called out. If you think it’s something owned by Reddit, you can send it along - we’ll decide if it’s out-of-scope.\n\n# Confidentiality\n\nAny information you receive or collect about Reddit, Reddit’s systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.\n\n# Rights and Licenses\nWe may modify the Program Terms or cancel the Bug Bounty Program at any time.\n\nBy making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.\n\nBy making a Submission, you give us the right to use your Submission for any purpose.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-07T16:37:47.156Z"},{"id":3665178,"new_policy":"# Program Terms\n\nReddit’s responsible disclosure and bug bounty program is focused on protecting our users’ private data, accounts, and identities. The vast majority of data posted to Reddit every day is intended to be public, however Reddit does host private data including messages, chats, voting records for accounts without the public voting option enabled, subreddit subscriptions (when tied to a user), and (optional) email addresses.\n\nIn addition to user posted content, it is important that Reddit maintain the confidentiality of user identities and the integrity of discussions in Reddit’s communities and private spaces. It is with these things in mind that Reddit evaluates the impact and severity of each reported vulnerability.\n\nThe scope for Reddit’s program includes most of our assets—if it’s not explicitly out-of-scope, and has meaningful security impact, it’s fair game. This includes all subdomains of reddit.com and snooguts.net. \n\n# Good Faith\nTo be eligible to participate in Reddit’s bug bounty program we ask that all researchers act in good faith, which means: \n\n* Don’t try to access other users’ accounts or data — respect their privacy.\n* Don’t publicly disclose a vulnerability without Reddit’s explicit consent. \n* Don’t discuss vulnerability details with anyone other than Reddit staff before we can patch the vulnerability.\n* Don’t leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don’t identify the possibility yourself.\n* Don’t upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.\n* Don’t leave systems in a more vulnerable state.\n* Don’t take any action that could impact the performance or availability of Reddit.\n* Don’t make copies of Reddit's private production data as “proof”. The report should suffice as proof of impact.\n* Be respectful of our team.\n\nFailure to follow these rules will result in your reports being ineligible for bounty awards.\n\n# Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Eligibility to Participate\n\n* Must abide by Reddit’s User Agreement if testing with a Reddit account.\n* Must utilize HackerOne platform for all submissions to receive any payout, thereby abiding by HackerOne’s terms of service and privacy policy.\n* Reddit employees, contractors who are currently working with Reddit, or have worked with Reddit in the previous 6 months, or immediate family members of either are not eligible for bug bounties.\n\n# Report Quality\n\nReports are expected to be thorough and contain enough information that Reddit’s security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots are encouraged while videos are discouraged, unless necessary. Submissions should not consist solely of a video.\n\nReports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.\n\n# Severity Determination\nReddit uses a simple scale to determine severity. Reddit will categorize valid submissions in one of the following categories at its sole discretion. Vulnerabilities are primarily rated by their impact to the confidentiality of private user data and safety using the Reddit platform.\n\n## Critical\nCritical vulnerabilities are those that result in the bulk compromise of user data such as password hashes, private messages, private chats, and email addresses or the ability to bypass authentication and gain access to targeted accounts. Examples of critical vulnerabilities include:\n* Remote command execution\n* SQL Injection\n* Authentication bypass resulting in access to a user's account and private data.\n* Access to production secrets such as access tokens that can be used to copy sensitive data.\n* Elevating Reddit application privileges to admin.\n\n## High\nHigh-rated vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private groups or subreddits. Examples include:\n* Cross-site scripting (XSS)\n* Bypassing authorization to read or post to private subreddits.\n* CSRF or similar attacks provided they result in access to another user's account or data.\n* Bypassing two-factor authentication (2FA) in the Reddit application.\n* The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions.\n* Performing limited admin actions without authorization.\n* Ability to identify real users when switching into and using Anonymous Browsing Mode (ABM) in native apps\n\n## Medium\nMedium-risk vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access less-sensitive information. Examples include:\n* CSRF or similar attacks to make a user take an action they didn't intend, such as subscribing or unsubscribing to subreddits or voting on posts/comments.\n* Disclosing the titles of posts in private subreddits.\n* Removing a moderator from a subreddit where you are not a moderator with “access” permissions.\n* Unbanning a user that has been banned from a subreddit without appropriate permissions.\n* Open redirects\n\n## Low\nLow-risk vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn't, but with no serious security implications. Examples include:\n* Bypassing domain restrictions on posted content.\n* Forcing users to use or not use the redesign or other early-access features.\n* Disclosure of voting records for accounts without the public voting option enabled.\n* Password brute-forcing that circumvents rate limiting\n\n# Bounty Amounts\nThe upper limits on bounty for each bug class:\n\n| Critical | High | Medium | Low |\n|:--------:|:----:|:------:|:---:|\n|  $10,000  | $5,000  |  $500  | $100  |\n\nThese are guidelines and may be adjusted by Reddit at our own discretion. Note that mitigating factors such as rate limiting (if applicable), the limitations on what may be accessed and the sensitivity of the exposed data will be taken into account when determining bounties. Bounty payments will be made through the HackerOne platform.\n\n# Out-of-Scope\n\n## Reddit agnostic:\n* Attacks requiring physical access to, root privileges on, or MITM of a user's device.\n* Account Oracles - the ability to determine if an email address or username is in use.\n* Attacks targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.\n* Insecure cookie settings / flags on non-login cookies.\n* Missing HTTP security headers (CSP, HSTS, etc.).\n* Weak SSL/TLS/SSH algorithms or protocols.\n* Lack of certificate pinning (improper certificate validation still eligible)\n* CSRF with no security impact (unauthenticated/logout/login CSRF).\n* Best practices violations (password complexity, expiration, re-use, etc.).\n* Clickjacking on pages with no sensitive actions.\n* Component version disclosure without accompanying proof of vulnerability.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it's fair game.\n* Disclosure of internal tracebacks (unless sensitive environment data is also leaked).\n* Comma Separated Values (CSV) injection.\n* Reflected file download.\n* Content spoofing and text injection issues without being able to modify HTML/CSS.\n* Re-usage of passwords from public dumps.\n* Homograph links.\n* Mobile app crashes.\n* Tabnabbing / window.origin not being cleared on new tabs or windows\n* Deep links for Android missing autoVerify=true due to current Google limitation with AMP (may change in future)\n* XSS from copying/pasting in code into DevConsole or the like\n\n## Reddit specific:\n* Mobile app hardcoded secrets that are Sentry, Twitter, Crashlytics, Firebase, or Branch. On Dubsmash, the Kinesis AWS key is out of scope as it's non-vulnerable. \n* Commenting on removed / deleted posts (explicitly allowed unless a post is locked)\n* https://*.reddit.com/etc/passwd\n* Sessions not being invalidated on logout (they are invalidated on password change, 2FA being enabled, etc.).\n* Redress of subreddits with subreddit styles.\n* Bypassing rate-limits or the non-existence of rate-limits that have no platform impact.\n* Exposure of internal domains on public domains\n* Reddit.com password length issue (Reddit uses bcrypt which is capped at 72 characters) https://hackerone.com/reports/1172933\n\n## Denial of service attacks:\n* Just don’t, we’re busy enough keeping the site up\n\n## In-scope domains (inclusive of all subdomains):\n* reddit.com\n* snooguts.net\n* redd.it\n* redditblog.com\n* redditmedia.com\n* redditstatic.com\n* redditgifts.com\n* reddituploads.com\n* redditinc.com\n* reddithelp.com (limited)\n* 1st party Android and iOS apps for Reddit\n\n## Out-of-scope domains\nAny SaaS or other service provider not explicitly called out. If you think it’s something owned by Reddit, you can send it along - we’ll decide if it’s out-of-scope.\n\n# Confidentiality\n\nAny information you receive or collect about Reddit, Reddit’s systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.\n\n# Rights and Licenses\nWe may modify the Program Terms or cancel the Bug Bounty Program at any time.\n\nBy making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.\n\nBy making a Submission, you give us the right to use your Submission for any purpose.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-01-26T18:11:45.950Z"},{"id":3663532,"new_policy":"# Program Terms\n\nReddit’s responsible disclosure and bug bounty program is focused on protecting our users’ private data, accounts, and identities. The vast majority of data posted to Reddit every day is intended to be public, however Reddit does host private data including messages, chats, voting records for accounts without the public voting option enabled, subreddit subscriptions (when tied to a user), and (optional) email addresses.\n\nIn addition to user posted content, it is important that Reddit maintain the confidentiality of user identities and the integrity of discussions in Reddit’s communities and private spaces. It is with these things in mind that Reddit evaluates the impact and severity of each reported vulnerability.\n\nThe scope for Reddit’s program includes most of our assets—if it’s not explicitly out-of-scope, and has meaningful security impact, it’s fair game. This includes all subdomains of reddit.com and snooguts.net. \n\n# Good Faith\nTo be eligible to participate in Reddit’s bug bounty program we ask that all researchers act in good faith, which means: \n\n* Don’t try to access other users’ accounts or data — respect their privacy.\n* Don’t publicly disclose a vulnerability without Reddit’s explicit consent. \n* Don’t discuss vulnerability details with anyone other than Reddit staff before we can patch the vulnerability.\n* Don’t leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don’t identify the possibility yourself.\n* Don’t upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.\n* Don’t leave systems in a more vulnerable state.\n* Don’t take any action that could impact the performance or availability of Reddit.\n* Don’t make copies of Reddit's private production data as “proof”. The report should suffice as proof of impact.\n* Be respectful of our team.\n\nFailure to follow these rules will result in your reports being ineligible for bounty awards.\n\n# Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Eligibility to Participate\n\n* Must abide by Reddit’s User Agreement if testing with a Reddit account.\n* Must utilize HackerOne platform for all submissions to receive any payout, thereby abiding by HackerOne’s terms of service and privacy policy.\n* Reddit employees, contractors who are currently working with Reddit, or have worked with Reddit in the previous 6 months, or immediate family members of either are not eligible for bug bounties.\n\n# Report Quality\n\nReports are expected to be thorough and contain enough information that Reddit’s security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots are encouraged while videos are discouraged, unless necessary. Submissions should not consist solely of a video.\n\nReports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.\n\n# Severity Determination\nReddit uses a simple scale to determine severity. Reddit will categorize valid submissions in one of the following categories at its sole discretion. Vulnerabilities are primarily rated by their impact to the confidentiality of private user data and safety using the Reddit platform.\n\n## Critical\nCritical vulnerabilities are those that result in the bulk compromise of user data such as password hashes, private messages, private chats, and email addresses or the ability to bypass authentication and gain access to targeted accounts. Examples of critical vulnerabilities include:\n* Remote command execution\n* SQL Injection\n* Authentication bypass resulting in access to a user's account and private data.\n* Access to production secrets such as access tokens that can be used to copy sensitive data.\n* Elevating Reddit application privileges to admin.\n\n## High\nHigh-rated vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private groups or subreddits. Examples include:\n* Cross-site scripting (XSS)\n* Bypassing authorization to read or post to private subreddits.\n* CSRF or similar attacks provided they result in access to another user's account or data.\n* Bypassing two-factor authentication (2FA) in the Reddit application.\n* The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions.\n* Performing limited admin actions without authorization.\n* Ability to identify real users when switching into and using Anonymous Browsing Mode (ABM) in native apps\n\n## Medium\nMedium-risk vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access less-sensitive information. Examples include:\n* CSRF or similar attacks to make a user take an action they didn't intend, such as subscribing or unsubscribing to subreddits or voting on posts/comments.\n* Disclosing the titles of posts in private subreddits.\n* Removing a moderator from a subreddit where you are not a moderator with “access” permissions.\n* Unbanning a user that has been banned from a subreddit without appropriate permissions.\n* Open redirects\n\n## Low\nLow-risk vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn't, but with no serious security implications. Examples include:\n* Bypassing domain restrictions on posted content.\n* Forcing users to use or not use the redesign or other early-access features.\n* Disclosure of voting records for accounts without the public voting option enabled.\n* Password brute-forcing that circumvents rate limiting\n\n# Bounty Amounts\nThe upper limits on bounty for each bug class:\n\n| Critical | High | Medium | Low |\n|:--------:|:----:|:------:|:---:|\n|  $10,000  | $5,000  |  $500  | $100  |\n\nThese are guidelines and may be adjusted by Reddit at our own discretion. Note that mitigating factors such as rate limiting (if applicable), the limitations on what may be accessed and the sensitivity of the exposed data will be taken into account when determining bounties. Bounty payments will be made through the HackerOne platform.\n\n# Out-of-Scope\n\n## Reddit agnostic:\n* Attacks requiring physical access to, root privileges on, or MITM of a user's device.\n* Account Oracles - the ability to determine if an email address or username is in use.\n* Attacks targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.\n* Insecure cookie settings / flags on non-login cookies.\n* Missing HTTP security headers (CSP, HSTS, etc.).\n* Weak SSL/TLS/SSH algorithms or protocols.\n* Lack of certificate pinning (improper certificate validation still eligible)\n* CSRF with no security impact (unauthenticated/logout/login CSRF).\n* Best practices violations (password complexity, expiration, re-use, etc.).\n* Clickjacking on pages with no sensitive actions.\n* Component version disclosure without accompanying proof of vulnerability.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it's fair game.\n* Disclosure of internal tracebacks (unless sensitive environment data is also leaked).\n* Comma Separated Values (CSV) injection.\n* Reflected file download.\n* Content spoofing and text injection issues without being able to modify HTML/CSS.\n* Re-usage of passwords from public dumps.\n* Homograph links.\n* Mobile app crashes.\n* Tabnabbing / window.origin not being cleared on new tabs or windows\n* Deep links for Android missing autoVerify=true due to current Google limitation with AMP (may change in future)\n* XSS from copying/pasting in code into DevConsole or the like\n\n## Reddit specific:\n* Mobile app hardcoded secrets that are Sentry, Twitter, Crashlytics, Firebase, or Branch. On Dubsmash, the Kinesis AWS key is out of scope as it's non-vulnerable. \n* Commenting on removed / deleted posts (explicitly allowed unless a post is locked)\n* https://*.reddit.com/etc/passwd\n* Sessions not being invalidated on logout (they are invalidated on password change, 2FA being enabled, etc.).\n* Redress of subreddits with subreddit styles.\n* Bypassing rate-limits or the non-existence of rate-limits that have no platform impact.\n* Exposure of internal domains on public domains\n\n## Denial of service attacks:\n* Just don’t, we’re busy enough keeping the site up\n\n## In-scope domains (inclusive of all subdomains):\n* reddit.com\n* snooguts.net\n* redd.it\n* redditblog.com\n* redditmedia.com\n* redditstatic.com\n* redditgifts.com\n* reddituploads.com\n* redditinc.com\n* reddithelp.com (limited)\n* 1st party Android and iOS apps for Reddit\n\n## Out-of-scope domains\nAny SaaS or other service provider not explicitly called out. If you think it’s something owned by Reddit, you can send it along - we’ll decide if it’s out-of-scope.\n\n# Confidentiality\n\nAny information you receive or collect about Reddit, Reddit’s systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.\n\n# Rights and Licenses\nWe may modify the Program Terms or cancel the Bug Bounty Program at any time.\n\nBy making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.\n\nBy making a Submission, you give us the right to use your Submission for any purpose.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-30T14:54:06.049Z"},{"id":3663051,"new_policy":"# Program Terms\n\nReddit’s responsible disclosure and bug bounty program is focused on protecting our users’ private data, accounts, and identities. The vast majority of data posted to Reddit every day is intended to be public, however Reddit does host private data including messages, chats, voting records for accounts without the public voting option enabled, subreddit subscriptions (when tied to a user), and (optional) email addresses.\n\nIn addition to user posted content, it is important that Reddit maintain the confidentiality of user identities and the integrity of discussions in Reddit’s communities and private spaces. It is with these things in mind that Reddit evaluates the impact and severity of each reported vulnerability.\n\nThe scope for Reddit’s program includes most of our assets—if it’s not explicitly out-of-scope, and has meaningful security impact, it’s fair game. This includes all subdomains of reddit.com and snooguts.net. \n\n# Good Faith\nTo be eligible to participate in Reddit’s bug bounty program we ask that all researchers act in good faith, which means: \n\n* Don’t try to access other users’ accounts or data — respect their privacy.\n* Don’t publicly disclose a vulnerability without Reddit’s explicit consent. \n* Don’t discuss vulnerability details with anyone other than Reddit staff before we can patch the vulnerability.\n* Don’t leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don’t identify the possibility yourself.\n* Don’t upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.\n* Don’t leave systems in a more vulnerable state.\n* Don’t take any action that could impact the performance or availability of Reddit.\n* Don’t make copies of Reddit's private production data as “proof”. The report should suffice as proof of impact.\n* Be respectful of our team.\n\nFailure to follow these rules will result in your reports being ineligible for bounty awards.\n\n# Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Eligibility to Participate\n\n* Must abide by Reddit’s User Agreement if testing with a Reddit account.\n* Must utilize HackerOne platform for all submissions to receive any payout, thereby abiding by HackerOne’s terms of service and privacy policy.\n* Reddit employees, contractors who are currently working with Reddit, or have worked with Reddit in the previous 6 months, or immediate family members of either are not eligible for bug bounties.\n\n# Report Quality\n\nReports are expected to be thorough and contain enough information that Reddit’s security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots are encouraged while videos are discouraged, unless necessary. Submissions should not consist solely of a video.\n\nReports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.\n\n# Severity Determination\nReddit uses a simple scale to determine severity. Reddit will categorize valid submissions in one of the following categories at its sole discretion. Vulnerabilities are primarily rated by their impact to the confidentiality of private user data and safety using the Reddit platform.\n\n## Critical\nCritical vulnerabilities are those that result in the bulk compromise of user data such as password hashes, private messages, private chats, and email addresses or the ability to bypass authentication and gain access to targeted accounts. Examples of critical vulnerabilities include:\n* Remote command execution\n* SQL Injection\n* Authentication bypass resulting in access to a user's account and private data.\n* Access to production secrets such as access tokens that can be used to copy sensitive data.\n* Elevating Reddit application privileges to admin.\n\n## High\nHigh-rated vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private groups or subreddits. Examples include:\n* Cross-site scripting (XSS)\n* Bypassing authorization to read or post to private subreddits.\n* CSRF or similar attacks provided they result in access to another user's account or data.\n* Bypassing two-factor authentication (2FA) in the Reddit application.\n* The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions.\n* Performing limited admin actions without authorization.\n* Ability to identify real users when switching into and using Anonymous Browsing Mode (ABM) in native apps\n\n## Medium\nMedium-risk vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access less-sensitive information. Examples include:\n* CSRF or similar attacks to make a user take an action they didn't intend, such as subscribing or unsubscribing to subreddits or voting on posts/comments.\n* Disclosing the titles of posts in private subreddits.\n* Removing a moderator from a subreddit where you are not a moderator with “access” permissions.\n* Unbanning a user that has been banned from a subreddit without appropriate permissions.\n* Open redirects\n\n## Low\nLow-risk vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn't, but with no serious security implications. Examples include:\n* Bypassing domain restrictions on posted content.\n* Forcing users to use or not use the redesign or other early-access features.\n* Disclosure of voting records for accounts without the public voting option enabled.\n* Self-XSS without evidence it can be chained to be non-self XSS\n* Password brute-forcing that circumvents rate limiting\n\n# Bounty Amounts\nThe upper limits on bounty for each bug class:\n\n| Critical | High | Medium | Low |\n|:--------:|:----:|:------:|:---:|\n|  $10,000  | $5,000  |  $500  | $100  |\n\nThese are guidelines and may be adjusted by Reddit at our own discretion. Note that mitigating factors such as rate limiting (if applicable), the limitations on what may be accessed and the sensitivity of the exposed data will be taken into account when determining bounties. Bounty payments will be made through the HackerOne platform.\n\n# Out-of-Scope\n\n## Reddit agnostic:\n* Attacks requiring physical access to, root privileges on, or MITM of a user's device.\n* Account Oracles - the ability to determine if an email address or username is in use.\n* Attacks targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.\n* Insecure cookie settings / flags on non-login cookies.\n* Missing HTTP security headers (CSP, HSTS, etc.).\n* Weak SSL/TLS/SSH algorithms or protocols.\n* Lack of certificate pinning (improper certificate validation still eligible)\n* CSRF with no security impact (unauthenticated/logout/login CSRF).\n* Best practices violations (password complexity, expiration, re-use, etc.).\n* Clickjacking on pages with no sensitive actions.\n* Component version disclosure without accompanying proof of vulnerability.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it's fair game.\n* Disclosure of internal tracebacks (unless sensitive environment data is also leaked).\n* Comma Separated Values (CSV) injection.\n* Reflected file download.\n* Content spoofing and text injection issues without being able to modify HTML/CSS.\n* Re-usage of passwords from public dumps.\n* Homograph links.\n* Mobile app crashes.\n* Tabnabbing / window.origin not being cleared on new tabs or windows\n* Deep links for Android missing autoVerify=true due to current Google limitation with AMP (may change in future)\n\n## Reddit specific:\n* Mobile app hardcoded secrets that are Sentry, Twitter, Crashlytics, Firebase, or Branch. On Dubsmash, the Kinesis AWS key is out of scope as it's non-vulnerable. \n* Commenting on removed / deleted posts (explicitly allowed unless a post is locked)\n* https://*.reddit.com/etc/passwd\n* Sessions not being invalidated on logout (they are invalidated on password change, 2FA being enabled, etc.).\n* Redress of subreddits with subreddit styles.\n* Bypassing rate-limits or the non-existence of rate-limits that have no platform impact.\n* Exposure of internal domains on public domains\n\n## Denial of service attacks:\n* Just don’t, we’re busy enough keeping the site up\n\n## In-scope domains (inclusive of all subdomains):\n* reddit.com\n* snooguts.net\n* redd.it\n* redditblog.com\n* redditmedia.com\n* redditstatic.com\n* redditgifts.com\n* reddituploads.com\n* redditinc.com\n* reddithelp.com (limited)\n* 1st party Android and iOS apps for Reddit\n\n## Out-of-scope domains\nAny SaaS or other service provider not explicitly called out. If you think it’s something owned by Reddit, you can send it along - we’ll decide if it’s out-of-scope.\n\n# Confidentiality\n\nAny information you receive or collect about Reddit, Reddit’s systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.\n\n# Rights and Licenses\nWe may modify the Program Terms or cancel the Bug Bounty Program at any time.\n\nBy making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.\n\nBy making a Submission, you give us the right to use your Submission for any purpose.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-15T17:29:22.667Z"},{"id":3658576,"new_policy":"# Program Terms\n\nReddit’s responsible disclosure and bug bounty program is focused on protecting our users’ private data, accounts, and identities. The vast majority of data posted to Reddit every day is intended to be public, however Reddit does host private data including messages, chats, voting records for accounts without the public voting option enabled, subreddit subscriptions (when tied to a user), and (optional) email addresses.\n\nIn addition to user posted content, it is important that Reddit maintain the confidentiality of user identities and the integrity of discussions in Reddit’s communities and private spaces. It is with these things in mind that Reddit evaluates the impact and severity of each reported vulnerability.\n\nThe scope for Reddit’s program includes most of our assets—if it’s not explicitly out-of-scope, and has meaningful security impact, it’s fair game. This includes all subdomains of reddit.com and snooguts.net. \n\n# Good Faith\nTo be eligible to participate in Reddit’s bug bounty program we ask that all researchers act in good faith, which means: \n\n* Don’t try to access other users’ accounts or data — respect their privacy.\n* Don’t publicly disclose a vulnerability without Reddit’s explicit consent. \n* Don’t discuss vulnerability details with anyone other than Reddit staff before we can patch the vulnerability.\n* Don’t leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don’t identify the possibility yourself.\n* Don’t upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.\n* Don’t leave systems in a more vulnerable state.\n* Don’t take any action that could impact the performance or availability of Reddit.\n* Don’t make copies of Reddit's private production data as “proof”. The report should suffice as proof of impact.\n* Be respectful of our team.\n\nFailure to follow these rules will result in your reports being ineligible for bounty awards.\n\n# Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Eligibility to Participate\n\n* Must abide by Reddit’s User Agreement if testing with a Reddit account.\n* Must utilize HackerOne platform for all submissions to receive any payout, thereby abiding by HackerOne’s terms of service and privacy policy.\n* Reddit employees, contractors who are currently working with Reddit, or have worked with Reddit in the previous 6 months, or immediate family members of either are not eligible for bug bounties.\n\n# Report Quality\n\nReports are expected to be thorough and contain enough information that Reddit’s security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots are encouraged while videos are discouraged, unless necessary. Submissions should not consist solely of a video.\n\nReports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.\n\n# Severity Determination\nReddit uses a simple scale to determine severity. Reddit will categorize valid submissions in one of the following categories at its sole discretion. Vulnerabilities are primarily rated by their impact to the confidentiality of private user data and safety using the Reddit platform.\n\n## Critical\nCritical vulnerabilities are those that result in the bulk compromise of user data such as password hashes, private messages, private chats, and email addresses or the ability to bypass authentication and gain access to targeted accounts. Examples of critical vulnerabilities include:\n* Remote command execution\n* SQL Injection\n* Authentication bypass resulting in access to a user's account and private data.\n* Access to production secrets such as access tokens that can be used to copy sensitive data.\n* Elevating Reddit application privileges to admin.\n\n## High\nHigh-rated vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private groups or subreddits. Examples include:\n* Cross-site scripting (XSS)\n* Bypassing authorization to read or post to private subreddits.\n* CSRF or similar attacks provided they result in access to another user's account or data.\n* Bypassing two-factor authentication (2FA) in the Reddit application.\n* The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions.\n* Performing limited admin actions without authorization.\n* Ability to identify real users when switching into and using Anonymous Browsing Mode (ABM) in native apps\n\n## Medium\nMedium-risk vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access less-sensitive information. Examples include:\n* CSRF or similar attacks to make a user take an action they didn't intend, such as subscribing or unsubscribing to subreddits or voting on posts/comments.\n* Disclosing the titles of posts in private subreddits.\n* Removing a moderator from a subreddit where you are not a moderator with “access” permissions.\n* Unbanning a user that has been banned from a subreddit without appropriate permissions.\n* Open redirects\n\n## Low\nLow-risk vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn't, but with no serious security implications. Examples include:\n* Bypassing domain restrictions on posted content.\n* Forcing users to use or not use the redesign or other early-access features.\n* Disclosure of voting records for accounts without the public voting option enabled.\n* Self-XSS without evidence it can be chained to be non-self XSS\n* Password brute-forcing that circumvents rate limiting\n\n# Bounty Amounts\nThe upper limits on bounty for each bug class:\n\n| Critical | High | Medium | Low |\n|:--------:|:----:|:------:|:---:|\n|  $10,000  | $5,000  |  $500  | $100  |\n\nThese are guidelines and may be adjusted by Reddit at our own discretion. Note that mitigating factors such as rate limiting (if applicable), the limitations on what may be accessed and the sensitivity of the exposed data will be taken into account when determining bounties. Bounty payments will be made through the HackerOne platform.\n\n# Out-of-Scope\n\n## Reddit agnostic:\n* Attacks requiring physical access to, root privileges on, or MITM of a user's device.\n* Account Oracles - the ability to determine if an email address or username is in use.\n* Attacks targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.\n* Insecure cookie settings / flags on non-login cookies.\n* Missing HTTP security headers (CSP, HSTS, etc.).\n* Weak SSL/TLS/SSH algorithms or protocols.\n* Lack of certificate pinning (improper certificate validation still eligible)\n* CSRF with no security impact (unauthenticated/logout/login CSRF).\n* Best practices violations (password complexity, expiration, re-use, etc.).\n* Clickjacking on pages with no sensitive actions.\n* Component version disclosure without accompanying proof of vulnerability.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it's fair game.\n* Disclosure of internal tracebacks (unless sensitive environment data is also leaked).\n* Comma Separated Values (CSV) injection.\n* Reflected file download.\n* Content spoofing and text injection issues without being able to modify HTML/CSS.\n* Re-usage of passwords from public dumps.\n* Homograph links.\n* Mobile app crashes.\n* Tabnabbing / window.origin not being cleared on new tabs or windows\n* Deep links for Android missing autoVerify=true due to current Google limitation with AMP (may change in future)\n\n## Reddit specific:\n* Mobile app hardcoded secrets that are Sentry, Twitter, Crashlytics, Firebase, or Branch. On Dubsmash, the Kinesis AWS key is out of scope as it's non-vulnerable. \n* Commenting on removed / deleted posts (explicitly allowed unless a post is locked)\n* https://*.reddit.com/etc/passwd\n* Sessions not being invalidated on logout (they are invalidated on password change, 2FA being enabled, etc.).\n* Redress of subreddits with subreddit styles.\n* Bypassing rate-limits or the non-existence of rate-limits that have no platform impact.\n* Exposure of internal domains on public domains\n\n## Denial of service attacks:\n* Just don’t, we’re busy enough keeping the site up\n\n## In-scope domains (inclusive of all subdomains):\n* reddit.com\n* snooguts.net\n* redd.it\n* redditblog.com\n* redditmedia.com\n* redditstatic.com\n* redditgifts.com\n* reddituploads.com\n* redditinc.com\n* reddithelp.com (limited)\n* dubsmash.com\n* 1st party Android and iOS apps for Reddit and Dubsmash\n\n## Out-of-scope domains\nAny SaaS or other service provider not explicitly called out. If you think it’s something owned by Reddit, you can send it along - we’ll decide if it’s out-of-scope.\n\n# Confidentiality\n\nAny information you receive or collect about Reddit, Reddit’s systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.\n\n# Rights and Licenses\nWe may modify the Program Terms or cancel the Bug Bounty Program at any time.\n\nBy making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.\n\nBy making a Submission, you give us the right to use your Submission for any purpose.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-20T13:57:15.198Z"},{"id":3651117,"new_policy":"# Program Terms\n\nReddit’s responsible disclosure and bug bounty program is focused on protecting our users’ private data, accounts, and identities. The vast majority of data posted to Reddit every day is intended to be public, however Reddit does host private data including messages, chats, voting records for accounts without the public voting option enabled, subreddit subscriptions (when tied to a user), and (optional) email addresses.\n\nIn addition to user posted content, it is important that Reddit maintain the confidentiality of user identities and the integrity of discussions in Reddit’s communities and private spaces. It is with these things in mind that Reddit evaluates the impact and severity of each reported vulnerability.\n\nThe scope for Reddit’s program includes most of our assets—if it’s not explicitly out-of-scope, and has meaningful security impact, it’s fair game. This includes all subdomains of reddit.com and snooguts.net. \n\n# Good Faith\nTo be eligible to participate in Reddit’s bug bounty program we ask that all researchers act in good faith, which means: \n\n* Don’t try to access other users’ accounts or data — respect their privacy.\n* Don’t publicly disclose a vulnerability without Reddit’s explicit consent. \n* Don’t discuss vulnerability details with anyone other than Reddit staff before we can patch the vulnerability.\n* Don’t leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don’t identify the possibility yourself.\n* Don’t upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.\n* Don’t leave systems in a more vulnerable state.\n* Don’t take any action that could impact the performance or availability of Reddit.\n* Don’t make copies of Reddit's private production data as “proof”. The report should suffice as proof of impact.\n* Be respectful of our team.\n\nFailure to follow these rules will result in your reports being ineligible for bounty awards.\n\n# Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Eligibility to Participate\n\n* Must abide by Reddit’s User Agreement if testing with a Reddit account.\n* Must utilize HackerOne platform for all submissions to receive any payout, thereby abiding by HackerOne’s terms of service and privacy policy.\n* Reddit employees, contractors who are currently working with Reddit, or have worked with Reddit in the previous 6 months, or immediate family members of either are not eligible for bug bounties.\n\n# Report Quality\n\nReports are expected to be thorough and contain enough information that Reddit’s security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots are encouraged while videos are discouraged, unless necessary. Submissions should not consist solely of a video.\n\nReports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.\n\n# Severity Determination\nReddit uses a simple scale to determine severity. Reddit will categorize valid submissions in one of the following categories at its sole discretion. Vulnerabilities are primarily rated by their impact to the confidentiality of private user data and safety using the Reddit platform.\n\n## Critical\nCritical vulnerabilities are those that result in the bulk compromise of user data such as password hashes, private messages, private chats, and email addresses or the ability to bypass authentication and gain access to targeted accounts. Examples of critical vulnerabilities include:\n* Remote command execution\n* SQL Injection\n* Authentication bypass resulting in access to a user's account and private data.\n* Access to production secrets such as access tokens that can be used to copy sensitive data.\n* Elevating Reddit application privileges to admin.\n\n## High\nHigh-rated vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private groups or subreddits. Examples include:\n* Cross-site scripting (XSS)\n* Bypassing authorization to read or post to private subreddits.\n* CSRF or similar attacks provided they result in access to another user's account or data.\n* Bypassing two-factor authentication (2FA) in the Reddit application.\n* The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions.\n* Performing limited admin actions without authorization.\n* Ability to identify real users when switching into and using Anonymous Browsing Mode (ABM) in native apps\n\n## Medium\nMedium-risk vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access less-sensitive information. Examples include:\n* CSRF or similar attacks to make a user take an action they didn't intend, such as subscribing or unsubscribing to subreddits or voting on posts/comments.\n* Disclosing the titles of posts in private subreddits.\n* Removing a moderator from a subreddit where you are not a moderator with “access” permissions.\n* Unbanning a user that has been banned from a subreddit without appropriate permissions.\n* Open redirects\n\n## Low\nLow-risk vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn't, but with no serious security implications. Examples include:\n* Bypassing domain restrictions on posted content.\n* Forcing users to use or not use the redesign or other early-access features.\n* Disclosure of voting records for accounts without the public voting option enabled.\n* Self-XSS without evidence it can be chained to be non-self XSS\n* Password brute-forcing that circumvents rate limiting\n\n# Bounty Amounts\nThe upper limits on bounty for each bug class:\n\n| Critical | High | Medium | Low |\n|:--------:|:----:|:------:|:---:|\n|  $10,000  | $5,000  |  $500  | $100  |\n\nThese are guidelines and may be adjusted by Reddit at our own discretion. Note that mitigating factors such as rate limiting (if applicable), the limitations on what may be accessed and the sensitivity of the exposed data will be taken into account when determining bounties. Bounty payments will be made through the HackerOne platform.\n\n# Out-of-Scope\n\n## Reddit agnostic:\n* Attacks requiring physical access to, root privileges on, or MITM of a user's device.\n* Account Oracles - the ability to determine if an email address or username is in use.\n* Attacks targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.\n* Insecure cookie settings / flags on non-login cookies.\n* Missing HTTP security headers (CSP, HSTS, etc.).\n* Weak SSL/TLS/SSH algorithms or protocols.\n* Lack of certificate pinning (improper certificate validation still eligible)\n* CSRF with no security impact (unauthenticated/logout/login CSRF).\n* Best practices violations (password complexity, expiration, re-use, etc.).\n* Clickjacking on pages with no sensitive actions.\n* Component version disclosure without accompanying proof of vulnerability.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it's fair game.\n* Disclosure of internal tracebacks (unless sensitive environment data is also leaked).\n* Comma Separated Values (CSV) injection.\n* Reflected file download.\n* Content spoofing and text injection issues without being able to modify HTML/CSS.\n* Re-usage of passwords from public dumps.\n* Homograph links.\n* Mobile app crashes.\n* Tabnabbing / window.origin not being cleared on new tabs or windows\n* Deep links for Android missing autoVerify=true due to current Google limitation with AMP (may change in future)\n\n## Reddit specific:\n* Mobile app hardcoded secrets that are Sentry, Twitter, Crashlytics, Firebase, or Branch.\n* Commenting on removed / deleted posts (explicitly allowed unless a post is locked)\n* https://*.reddit.com/etc/passwd\n* Sessions not being invalidated on logout (they are invalidated on password change, 2FA being enabled, etc.).\n* Redress of subreddits with subreddit styles.\n* Bypassing rate-limits or the non-existence of rate-limits that have no platform impact.\n* Exposure of internal domains on public domains\n\n## Denial of service attacks:\n* Just don’t, we’re busy enough keeping the site up\n\n## In-scope domains (inclusive of all subdomains):\n* reddit.com\n* snooguts.net\n* redd.it\n* redditblog.com\n* redditmedia.com\n* redditstatic.com\n* redditgifts.com\n* reddituploads.com\n* redditinc.com\n* reddithelp.com (limited)\n* dubsmash.com\n* 1st party Android and iOS apps for Reddit and Dubsmash\n\n## Out-of-scope domains\nAny SaaS or other service provider not explicitly called out. If you think it’s something owned by Reddit, you can send it along - we’ll decide if it’s out-of-scope.\n\n# Confidentiality\n\nAny information you receive or collect about Reddit, Reddit’s systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.\n\n# Rights and Licenses\nWe may modify the Program Terms or cancel the Bug Bounty Program at any time.\n\nBy making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.\n\nBy making a Submission, you give us the right to use your Submission for any purpose.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-14T14:32:32.656Z"},{"id":3651116,"new_policy":"# Terms and Conditions\n\nReddit's bug bounty program is focused on protecting our user's private data, accounts, and identities. The vast majority of data posted to Reddit every day is intended to be public, however Reddit does host private data including: messages, chats, voting records for accounts without the public voting option enabled, subreddit subscriptions (when tied to a real person), and (optional) email addresses.\n\nIn addition to user posted content it is important that Reddit maintain the confidentiality of user identities. It is with these things in mind that Reddit evaluates the impact and severity of each  reported vulnerability.\n\n## Good Faith\n\nTo be eligible to participate in Reddit's bug bounty program we ask that all researchers act in good faith.\n\nActing in good faith means honoring the following rules:\n\n  * Don't try to access other user's accounts or data - respect their privacy.\n  * Don't publicly disclose a vulnerability. Reddit’s bug bounty program is private -- public disclosure isn’t available.\n  * Don't discuss vulnerability details with anyone other than Reddit staff before we can patch the vulnerability.\n  * Collaboration is only available with others that are part of the Reddit program. It's private for a reason, don't broaden the existing invited hackers. Note on your report if you want to add other previously invited researchers as collaborators.\n  * Don't leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don’t identify the possibility yourself.\n  * Don't upload rootkits or malware or otherwise go beyond what is necessary to prove a vulnerability exists.\n  * Don't leave systems in a more vulnerable state.\n  * Don't take any action that could impact the performance or availability of Reddit.\n  * Don't make copies of Reddit's private production data as \"proof\". The report should suffice as proof of impact.\n  * Be respectful of our team.\n\nFailure to follow these rules will result in any reports being ineligible for bounty awards.\n\n## Other Rules\n\n  * Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n  * When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n  * Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n  * Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n  * Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n  * Only test for vulnerabilities on sites known to be owned by Reddit and within our Scope, listed below. Do not test third party sites or assume a site is owned by Reddit simply because it has a Reddit subdomain.\n  * Do not use automated scanners or scrapers and do not submit reports from these tools.\n  * Do not target our employees, our offices, or our physical infrastructure.\n  * If possible, use your own private subreddit to test in rather than an existing public one.\n  * Do not target our smart contracts on Ethereum Mainnet.  Use Testnet instead.\n\n  * To be eligible for bounty you must not be a Reddit employee, contractor working on Reddit, or immediate family member of either.\n\n## Vulnerabilities That Do Not Qualify\n\n  * Attacks requiring physical access to or root privileges on a user's unlocked device\n  * Account Oracles - The ability to determine if an email address or username is in use.\n  * Those targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.\n  * Insecure cookie settings/flags on non-login cookies.\n  * Brute-forcing.\n  * Bypassing rate-limits or the non-existence of rate-limits.\n  * Missing HTTP security headers (CSP, HSTS, etc.)\n  * Weak SSL/TLS/SSH algorithms or protocols.\n  * CSRF with no security impact (Unauthenticated/logout/login CSRF).\n  * Best practices violations (password complexity, expiration, re-use, etc.).\n  * Clickjacking on pages with no sensitive actions.\n  * Redress of subreddits with subreddit styles.\n  * Attacks requiring MITM or physical access to a user's device.\n  * Version disclosure without accompanying proof of vulnerability\n  * Previously known vulnerable libraries without a working Proof of Concept.\n  * Disclosure of internal tracebacks (unless sensitive environment data is also leaked)\n  * Comma Separated Values (CSV) injection.\n  * Reflected file download\n  * Any activity that could lead to the disruption of our service (DoS).\n  * Content spoofing and text injection issues without being able to modify HTML/CSS.\n  * Re-usage of passwords from public dumps.\n  * https://*.reddit.com/etc/passwd\n  * Sessions not being invalidated on logout (they are invalidated on password change, 2FA being enabled, etc.).\n  * Homograph links.\n  * Mobile app crashes\n  * Lack of certificate pinning (improper certificate validation still eligible)\n  * Commenting on removed / deleted posts (explicitly allowed unless a post is locked)\n  * Tabnabbing / window.origin not being cleared on new tabs or windows\n  * Mobile app hardcoded secrets that are Sentry, Twitter, Crashlytics, Firebase, or Branch. \n  * 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it's fair game. \n  * Deep links for Android missing `autoVerify=true` due to current Google limitation with AMP (may change in future)\n\n## Reports\n\n### Quality\n\n  Reports are expected to be thorough and contain enough information that Reddit's security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots are encouraged while videos are discouraged, unless necessary. Submissions should not consist solely of a video.\n\n  Reports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.\n\n### Confidentiality\n\n  Information gathered about Reddit production systems and data must remain confidential. Because this is a private bug bounty program the details of vulnerabilities must also remain confidential even after an issue has been closed and a bounty paid.\n\n## Severity Determination\n\nReddit uses a simple scale to determine severity. Vulnerabilities are primarily rated by their impact to the confidentiality of private user data.\n\n### Critical\n\nCritical vulnerabilities are those that result in the bulk compromise of user data such as password hashes, private messages, private chats, and email addresses or the ability to bypass authentication and gain access to targeted accounts. Examples of critical vulnerabilities include:\n\n  * Remote command execution\n  * SQL Injection\n  * Authentication bypass resulting in access to a user's account and private data.\n  * Access to production secrets such as access tokens that can be used to copy sensitive data.\n  * Elevating Reddit application privileges to admin.\n\n### High\n\nHigh-rated vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private groups or subreddits. Examples include:\n\n  * Cross-site scripting (XSS)\n  * Bypassing authorization to read or post to private subreddits.\n  * CSRF or similar attacks provided they result in access to another user's account or data.\n  * Bypassing two-factor authentication (2FA) in the Reddit application.\n  * The ability to assign arbitrary users as moderators to existing subreddits or taking moderator actions without appropriate permissions.\n  * Performing limited admin actions without authorization.\n  * Ability to identify real users when switching into and using [Anonymous Browsing Mode (ABM)](https://www.reddit.com/r/changelog/comments/hbm5eh/introducing_anonymous_browsing_on_android/) in native apps\n\n### Medium\n\nMedium-risk vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access less-sensitive information. Examples include:\n\n  * CSRF or similar attacks to make a user take an action they didn't intend, such as subscribing or unsubscribing to subreddits or voting on posts/comments.\n  * Disclosing the titles of posts in private subreddits.\n  * Removing a moderator from a subreddit where you are not a moderator with “access” permissions.\n  * Unbanning a user that has been banned from a subreddit without appropriate permissions.\n  * Open redirects\n\n### Low\n\nLow-risk vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn't, but with no serious security implications. Examples include:\n\n  * Bypassing domain restrictions on posted content.\n  * Forcing users to use or not use the redesign or other early-access features.\n  * Disclosure of voting records for accounts without the public voting option enabled.\n  * Self-XSS without evidence it can be chained to be non-self XSS\n  * Tab-napping\n  * Password bruteforcing that circumvents ratelimiting\n\n## Response Times\n\nReddit will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 3 business days\n* Time to triage (from report submit) - 10 business days\n* Time to bounty (from triage) - 10 business days\n\nWe’ll do our best to keep you informed about our progress throughout the process.\n\n## Bounty Amounts\n\nThe upper limits on bounty for each bug class:\n\n| Critical | High | Medium | Low |\n|:--------:|:----:|:------:|:---:|\n|  $10,000  | $5,000  |  $500  | $100  |\n\nThese are guidelines and may be adjusted by Reddit at our own discretion. Note that mitigating factors such as ratelimiting (if applicable,) the limitations on what may be accessed and the sensitivity of the exposed data will be taken into account when determining bounties.\n\n## Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Reddit and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-14T14:30:19.511Z"}]