[{"id":3770048,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nBy submitting a report, you agree that materials will be shared with TikTok USDS Joint Venture LLC for independent triage, audit, verification, and patching based on impact to systems in the United States. \n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n* If you encounter user information / internal resources during research, stop there and report the issue immediately via HackerOne. We will evaluate the impact and reward accordingly.\n* Do not attack or enumerate any internal resources for testing SSRF vulnerability. Please only use the program provided SSRF sheriff for testing (Refer to the \"SSRF Testing Rules\" section below for more details).\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n\n#SSRF Testing Rules\n\nPlease see below for the usage of SSRF Sheriff:\n1. Test SSRF only with the following payload\n    * Full-read SSRF (A Flag will be returned to you):  https://ssrf-bait.byted.org/full-read-ssrf\n    * Blind SSRF (Provide your own Flag as payload): https://ssrf-bait.byted.org/blind-ssrf/YOUR_OWN_FLAG\n\n2. Check if your SSRF was successful with the SSRF Flag with the following URL\n    * https://sf-ssrf-sherif.byted.app/obj/ssrf-detector-us/YOUR_OWN_FLAG\n    * If the response shows \"True\", the SSRF was successful\n\n`PS: The \"Flag\" used here is a 32 character-long hex string in lowercase, which works as a unique identifier for our sheriff to validate SSRF request`\n\n** Please note that this SSRF Sheriff should only be used for SSRF vulnerability testing and PoC development purposes. Any kind of attack / exploitation on this SSRF Sheriff service is strictly prohibited.**\n\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nTikTok supports public recognition and disclosure of contributions and findings for in-scope reports closed as resolved. We will seek to allow participants to be publicly recognized whenever possible.\n* Public disclosure of a vulnerability (either full or partial) is only permitted after the TikTok Team receives a Disclosure Request within the HackerOne platform and the TikTok Team agrees to disclose the report.\n* Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\n* TikTok may redact any sensitive information prior to disclosure.\n\nIf requesting beyond a HackerOne disclosure (e.g. in a blog or at a conference):\n* Request approval before commencing a write up.\n* Share your final blog edits and where the content is to be hosted with TikTok for approval.\n* Do not publicly disclose information until you have explicit written consent to do so from TikTok.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection, unsafe deserialization, exploitable memory corruption  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n| All blind SSRF vulnerabilities that include a valid sheriff flag and a stable, reproducible proof of concept (PoC) | Low|\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Program Exclusions\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions or requiring multiple user interactions.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* Self-XSS, which includes any payload entered by the victim\n* HTML Injection with no actual harm or that require unlikely user interaction\n\n# Known Issues\nPlease note that these known issues will not be accepted:\n* Cross-Site Request Forgery (CSRF)  findings reported after 5th July, 2023 on all TikTok products.\n* Insecure Direct Object Reference (IDOR)/Privilege Escalation/Improper Access Control  findings reported after 13th March, 2024 on all TikTok Partner Shop API \n* All access control / privilege escalation / IDOR issues related to \"Tiktok One / Tiktok Business Center\" feature  reported after 16 December 2024\n\n\nWe are working on a fix for the above issues and seek your kind patience.\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":\"Tiktok does not currently pay out on every IDOR finding with unpredictable ID's. Our acceptance and associated bounty will be determined by the Bug Bounty Program team based on the complexity of the ID. \"}"],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Insecure file uploads leading to XSS on the CDN domain\",\"details\":\"Tiktok does not currently pay out on every XSS on CDN Domain. The finding will only be considered acceptable if it clearly demonstrates a direct impact on in-scope domains.\"}","{\"category\":\"Temporary Excludion on TikTok Devportal Minis\",\"details\":\"All reports submitted on https://developers.tiktok.com/minis/ from 23 Feb 2026 are excluded from the scope until further notice\"}"],"timestamp":"2026-02-23T06:50:59.520Z"},{"id":3768619,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nBy submitting a report, you agree that materials will be shared with TikTok USDS Joint Venture LLC for independent triage, audit, verification, and patching based on impact to systems in the United States. \n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n* If you encounter user information / internal resources during research, stop there and report the issue immediately via HackerOne. We will evaluate the impact and reward accordingly.\n* Do not attack or enumerate any internal resources for testing SSRF vulnerability. Please only use the program provided SSRF sheriff for testing (Refer to the \"SSRF Testing Rules\" section below for more details).\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n\n#SSRF Testing Rules\n\nPlease see below for the usage of SSRF Sheriff:\n1. Test SSRF only with the following payload\n    * Full-read SSRF (A Flag will be returned to you):  https://ssrf-bait.byted.org/full-read-ssrf\n    * Blind SSRF (Provide your own Flag as payload): https://ssrf-bait.byted.org/blind-ssrf/YOUR_OWN_FLAG\n\n2. Check if your SSRF was successful with the SSRF Flag with the following URL\n    * https://sf-ssrf-sherif.byted.app/obj/ssrf-detector-us/YOUR_OWN_FLAG\n    * If the response shows \"True\", the SSRF was successful\n\n`PS: The \"Flag\" used here is a 32 character-long hex string in lowercase, which works as a unique identifier for our sheriff to validate SSRF request`\n\n** Please note that this SSRF Sheriff should only be used for SSRF vulnerability testing and PoC development purposes. Any kind of attack / exploitation on this SSRF Sheriff service is strictly prohibited.**\n\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nTikTok supports public recognition and disclosure of contributions and findings for in-scope reports closed as resolved. We will seek to allow participants to be publicly recognized whenever possible.\n* Public disclosure of a vulnerability (either full or partial) is only permitted after the TikTok Team receives a Disclosure Request within the HackerOne platform and the TikTok Team agrees to disclose the report.\n* Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\n* TikTok may redact any sensitive information prior to disclosure.\n\nIf requesting beyond a HackerOne disclosure (e.g. in a blog or at a conference):\n* Request approval before commencing a write up.\n* Share your final blog edits and where the content is to be hosted with TikTok for approval.\n* Do not publicly disclose information until you have explicit written consent to do so from TikTok.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection, unsafe deserialization, exploitable memory corruption  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n| All blind SSRF vulnerabilities that include a valid sheriff flag and a stable, reproducible proof of concept (PoC) | Low|\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Program Exclusions\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions or requiring multiple user interactions.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* Self-XSS, which includes any payload entered by the victim\n* HTML Injection with no actual harm or that require unlikely user interaction\n\n# Known Issues\nPlease note that these known issues will not be accepted:\n* Cross-Site Request Forgery (CSRF)  findings reported after 5th July, 2023 on all TikTok products.\n* Insecure Direct Object Reference (IDOR)/Privilege Escalation/Improper Access Control  findings reported after 13th March, 2024 on all TikTok Partner Shop API \n* All access control / privilege escalation / IDOR issues related to \"Tiktok One / Tiktok Business Center\" feature  reported after 16 December 2024\n\n\nWe are working on a fix for the above issues and seek your kind patience.\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":\"Tiktok does not currently pay out on every IDOR finding with unpredictable ID's. Our acceptance and associated bounty will be determined by the Bug Bounty Program team based on the complexity of the ID. \"}"],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Insecure file uploads leading to XSS on the CDN domain\",\"details\":\"Tiktok does not currently pay out on every XSS on CDN Domain. The finding will only be considered acceptable if it clearly demonstrates a direct impact on in-scope domains.\"}"],"timestamp":"2026-01-22T02:48:19.823Z"},{"id":3766694,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n* If you encounter user information / internal resources during research, stop there and report the issue immediately via HackerOne. We will evaluate the impact and reward accordingly.\n* Do not attack or enumerate any internal resources for testing SSRF vulnerability. Please only use the program provided SSRF sheriff for testing (Refer to the \"SSRF Testing Rules\" section below for more details).\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n\n#SSRF Testing Rules\n\nPlease see below for the usage of SSRF Sheriff:\n1. Test SSRF only with the following payload\n    * Full-read SSRF (A Flag will be returned to you):  https://ssrf-bait.byted.org/full-read-ssrf\n    * Blind SSRF (Provide your own Flag as payload): https://ssrf-bait.byted.org/blind-ssrf/YOUR_OWN_FLAG\n\n2. Check if your SSRF was successful with the SSRF Flag with the following URL\n    * https://sf-ssrf-sherif.byted.app/obj/ssrf-detector-us/YOUR_OWN_FLAG\n    * If the response shows \"True\", the SSRF was successful\n\n`PS: The \"Flag\" used here is a 32 character-long hex string in lowercase, which works as a unique identifier for our sheriff to validate SSRF request`\n\n** Please note that this SSRF Sheriff should only be used for SSRF vulnerability testing and PoC development purposes. Any kind of attack / exploitation on this SSRF Sheriff service is strictly prohibited.**\n\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nTikTok supports public recognition and disclosure of contributions and findings for in-scope reports closed as resolved. We will seek to allow participants to be publicly recognized whenever possible.\n* Public disclosure of a vulnerability (either full or partial) is only permitted after the TikTok Team receives a Disclosure Request within the HackerOne platform and the TikTok Team agrees to disclose the report.\n* Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\n* TikTok may redact any sensitive information prior to disclosure.\n\nIf requesting beyond a HackerOne disclosure (e.g. in a blog or at a conference):\n* Request approval before commencing a write up.\n* Share your final blog edits and where the content is to be hosted with TikTok for approval.\n* Do not publicly disclose information until you have explicit written consent to do so from TikTok.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection, unsafe deserialization, exploitable memory corruption  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n| All blind SSRF vulnerabilities that include a valid sheriff flag and a stable, reproducible proof of concept (PoC) | Low|\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Program Exclusions\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions or requiring multiple user interactions.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* Self-XSS, which includes any payload entered by the victim\n* HTML Injection with no actual harm or that require unlikely user interaction\n\n# Known Issues\nPlease note that these known issues will not be accepted:\n* Cross-Site Request Forgery (CSRF)  findings reported after 5th July, 2023 on all TikTok products.\n* Insecure Direct Object Reference (IDOR)/Privilege Escalation/Improper Access Control  findings reported after 13th March, 2024 on all TikTok Partner Shop API \n* All access control / privilege escalation / IDOR issues related to \"Tiktok One / Tiktok Business Center\" feature  reported after 16 December 2024\n\n\nWe are working on a fix for the above issues and seek your kind patience.\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":\"Tiktok does not currently pay out on every IDOR finding with unpredictable ID's. Our acceptance and associated bounty will be determined by the Bug Bounty Program team based on the complexity of the ID. \"}"],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Insecure file uploads leading to XSS on the CDN domain\",\"details\":\"Tiktok does not currently pay out on every XSS on CDN Domain. The finding will only be considered acceptable if it clearly demonstrates a direct impact on in-scope domains.\"}"],"timestamp":"2025-11-28T09:08:01.508Z"},{"id":3765802,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n* If you encounter user information / internal resources during research, stop there and report the issue immediately via HackerOne. We will evaluate the impact and reward accordingly.\n* Do not attack or enumerate any internal resources for testing SSRF vulnerability. Please only use the program provided SSRF sheriff for testing (Refer to the \"SSRF Testing Rules\" section below for more details).\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n\n#SSRF Testing Rules\n\nPlease see below for the usage of SSRF Sheriff:\n1. Test SSRF only with the following payload\n    * Full-read SSRF (A Flag will be returned to you):  https://ssrf-bait.byted.org/full-read-ssrf\n    * Blind SSRF (Provide your own Flag as payload): https://ssrf-bait.byted.org/blind-ssrf/YOUR_OWN_FLAG\n\n2. Check if your SSRF was successful with the SSRF Flag with the following URL\n    * https://sf-ssrf-sherif.byted.app/obj/ssrf-detector-us/YOUR_OWN_FLAG\n    * If the response shows \"True\", the SSRF was successful\n\n`PS: The \"Flag\" used here is a 32 character-long hex string in lowercase, which works as a unique identifier for our sheriff to validate SSRF request`\n\n** Please note that this SSRF Sheriff should only be used for SSRF vulnerability testing and PoC development purposes. Any kind of attack / exploitation on this SSRF Sheriff service is strictly prohibited.**\n\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nTikTok supports public recognition and disclosure of contributions and findings for in-scope reports closed as resolved. We will seek to allow participants to be publicly recognized whenever possible.\n* Public disclosure of a vulnerability (either full or partial) is only permitted after the TikTok Team receives a Disclosure Request within the HackerOne platform and the TikTok Team agrees to disclose the report.\n* Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\n* TikTok may redact any sensitive information prior to disclosure.\n\nIf requesting beyond a HackerOne disclosure (e.g. in a blog or at a conference):\n* Request approval before commencing a write up.\n* Share your final blog edits and where the content is to be hosted with TikTok for approval.\n* Do not publicly disclose information until you have explicit written consent to do so from TikTok.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection, unsafe deserialization, exploitable memory corruption  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n| All blind SSRF vulnerabilities that include a valid sheriff flag and a stable, reproducible proof of concept (PoC) | Low|\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Program Exclusions\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions or requiring multiple user interactions.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* Self-XSS, which includes any payload entered by the victim\n* HTML Injection with no actual harm or that require unlikely user interaction\n\n# Known Issues\nPlease note that these known issues will not be accepted:\n* Cross-Site Request Forgery (CSRF)  findings reported after 5th July, 2023 on all TikTok products.\n* Insecure Direct Object Reference (IDOR)/Privilege Escalation/Improper Access Control  findings reported after 13th March, 2024 on all TikTok Partner Shop API \n* All access control / privilege escalation / IDOR issues related to \"Tiktok Subscription\" feature in all Tiktok assets  reported after 7th July, 2024\n* All access control / privilege escalation / IDOR issues related to \"Tiktok One / Tiktok Business Center\" feature  reported after 16 December 2024\n\n\nWe are working on a fix for the above issues and seek your kind patience.\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":\"Tiktok does not currently pay out on every IDOR finding with unpredictable ID's. Our acceptance and associated bounty will be determined by the Bug Bounty Program team based on the complexity of the ID. \"}"],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Insecure file uploads leading to XSS on the CDN domain\",\"details\":\"Tiktok does not currently pay out on every XSS on CDN Domain. The finding will only be considered acceptable if it clearly demonstrates a direct impact on in-scope domains.\"}"],"timestamp":"2025-11-10T09:15:06.790Z"},{"id":3756306,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n* If you encounter user information / internal resources during research, stop there and report the issue immediately via HackerOne. We will evaluate the impact and reward accordingly.\n* Do not attack or enumerate any internal resources for testing SSRF vulnerability. Please only use the program provided SSRF sheriff for testing (Refer to the \"SSRF Testing Rules\" section below for more details).\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n\n#SSRF Testing Rules\n\nPlease see below for the usage of SSRF Sheriff:\n1. Test SSRF only with the following payload\n    * Full-read SSRF (A Flag will be returned to you):  https://ssrf-bait.byted.org/full-read-ssrf\n    * Blind SSRF (Provide your own Flag as payload): https://ssrf-bait.byted.org/blind-ssrf/YOUR_OWN_FLAG\n\n2. Check if your SSRF was successful with the SSRF Flag with the following URL\n    * https://sf-ssrf-sherif.byted.app/obj/ssrf-detector-us/YOUR_OWN_FLAG\n    * If the response shows \"True\", the SSRF was successful\n\n`PS: The \"Flag\" used here is a 32 character-long hex string in lowercase, which works as a unique identifier for our sheriff to validate SSRF request`\n\n** Please note that this SSRF Sheriff should only be used for SSRF vulnerability testing and PoC development purposes. Any kind of attack / exploitation on this SSRF Sheriff service is strictly prohibited.**\n\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nTikTok supports public recognition and disclosure of contributions and findings for in-scope reports closed as resolved. We will seek to allow participants to be publicly recognized whenever possible.\n* Public disclosure of a vulnerability (either full or partial) is only permitted after the TikTok Team receives a Disclosure Request within the HackerOne platform and the TikTok Team agrees to disclose the report.\n* Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\n* TikTok may redact any sensitive information prior to disclosure.\n\nIf requesting beyond a HackerOne disclosure (e.g. in a blog or at a conference):\n* Request approval before commencing a write up.\n* Share your final blog edits and where the content is to be hosted with TikTok for approval.\n* Do not publicly disclose information until you have explicit written consent to do so from TikTok.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection, unsafe deserialization, exploitable memory corruption  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Program Exclusions\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions or requiring multiple user interactions.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* Self-XSS, which includes any payload entered by the victim\n* HTML Injection with no actual harm or that require unlikely user interaction\n\n# Known Issues\nPlease note that these known issues will not be accepted:\n* Cross-Site Request Forgery (CSRF)  findings reported after 5th July, 2023 on all TikTok products.\n* Insecure Direct Object Reference (IDOR)/Privilege Escalation/Improper Access Control  findings reported after 13th March, 2024 on all TikTok Partner Shop API \n* All access control / privilege escalation / IDOR issues related to \"Tiktok Subscription\" feature in all Tiktok assets  reported after 7th July, 2024\n* All access control / privilege escalation / IDOR issues related to \"Tiktok One / Tiktok Business Center\" feature  reported after 16 December 2024\n\n\nWe are working on a fix for the above issues and seek your kind patience.\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":\"Tiktok does not currently pay out on every IDOR finding with unpredictable ID's. Our acceptance and associated bounty will be determined by the Bug Bounty Program team based on the complexity of the ID. \"}"],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Insecure file uploads leading to XSS on the CDN domain\",\"details\":\"Tiktok does not currently pay out on every XSS on CDN Domain. The finding will only be considered acceptable if it clearly demonstrates a direct impact on in-scope domains.\"}"],"timestamp":"2025-05-26T04:55:30.145Z"},{"id":3750381,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n* If you encounter user information / internal resources during research, stop there and report the issue immediately via HackerOne. We will evaluate the impact and reward accordingly.\n* Do not attack or enumerate any internal resources for testing SSRF vulnerability. Please only use the program provided SSRF sheriff for testing (Refer to the \"SSRF Testing Rules\" section below for more details).\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n\n#SSRF Testing Rules\n\nPlease see below for the usage of SSRF Sheriff:\n1. Test SSRF only with the following payload\n    * Full-read SSRF (A Flag will be returned to you):  https://ssrf-bait.byted.org/full-read-ssrf\n    * Blind SSRF (Provide your own Flag as payload): https://ssrf-bait.byted.org/blind-ssrf/YOUR_OWN_FLAG\n\n2. Check if your SSRF was successful with the SSRF Flag with the following URL\n    * https://sf-ssrf-sherif.byted.app/obj/ssrf-detector-us/YOUR_OWN_FLAG\n    * If the response shows \"True\", the SSRF was successful\n\n`PS: The \"Flag\" used here is a 32 character-long hex string in lowercase, which works as a unique identifier for our sheriff to validate SSRF request`\n\n** Please note that this SSRF Sheriff should only be used for SSRF vulnerability testing and PoC development purposes. Any kind of attack / exploitation on this SSRF Sheriff service is strictly prohibited.**\n\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nTikTok supports public recognition and disclosure of contributions and findings for in-scope reports closed as resolved. We will seek to allow participants to be publicly recognized whenever possible.\n* Public disclosure of a vulnerability (either full or partial) is only permitted after the TikTok Team receives a Disclosure Request within the HackerOne platform and the TikTok Team agrees to disclose the report.\n* Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\n* TikTok may redact any sensitive information prior to disclosure.\n\nIf requesting beyond a HackerOne disclosure (e.g. in a blog or at a conference):\n* Request approval before commencing a write up.\n* Share your final blog edits and where the content is to be hosted with TikTok for approval.\n* Do not publicly disclose information until you have explicit written consent to do so from TikTok.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection, unsafe deserialization, exploitable memory corruption  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Program Exclusions\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions or requiring multiple user interactions.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* Self-XSS, which includes any payload entered by the victim\n* HTML Injection with no actual harm or that require unlikely user interaction\n\n# Known Issues\nPlease note that these known issues will not be accepted:\n* Cross-Site Request Forgery (CSRF)  findings reported after 5th July, 2023 on all TikTok products.\n* Insecure Direct Object Reference (IDOR)/Privilege Escalation/Improper Access Control  findings reported after 13th March, 2024 on all TikTok Partner Shop API \n* All access control / privilege escalation / IDOR issues related to \"Tiktok Subscription\" feature in all Tiktok assets  reported after 7th July, 2024\n* All access control / privilege escalation / IDOR issues related to \"Tiktok One / Tiktok Business Center\" feature  reported after 16 December 2024\n\n\nWe are working on a fix for the above issues and seek your kind patience.\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":\"Tiktok does not currently pay out on every IDOR finding with unpredictable ID's. Our acceptance and associated bounty will be determined by the Bug Bounty Program team based on the complexity of the ID. \"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-02-18T08:38:54.250Z"},{"id":3749911,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n* If you encounter user information / internal resources during research, stop there and report the issue immediately via HackerOne. We will evaluate the impact and reward accordingly.\n* Do not attack or enumerate any internal resources for testing SSRF vulnerability. Please only use the program provided SSRF sheriff for testing (Refer to the \"SSRF Testing Rules\" section below for more details).\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n\n#SSRF Testing Rules\n\nPlease see below for the usage of SSRF Sheriff:\n1. Test SSRF only with the following payload\n    * Full-read SSRF (A Flag will be returned to you):  https://ssrf-bait.byted.org/full-read-ssrf\n    * Blind SSRF (Provide your own Flag as payload): https://ssrf-bait.byted.org/blind-ssrf/YOUR_OWN_FLAG\n\n2. Check if your SSRF was successful with the SSRF Flag with the following URL\n    * https://sf-ssrf-sherif.byted.app/obj/ssrf-detector-us/YOUR_OWN_FLAG\n    * If the response shows \"True\", the SSRF was successful\n\n`PS: The \"Flag\" used here is a 32 character-long hex string in lowercase, which works as a unique identifier for our sheriff to validate SSRF request`\n\n** Please note that this SSRF Sheriff should only be used for SSRF vulnerability testing and PoC development purposes. Any kind of attack / exploitation on this SSRF Sheriff service is strictly prohibited.**\n\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nTikTok supports public recognition and disclosure of contributions and findings for in-scope reports closed as resolved. We will seek to allow participants to be publicly recognized whenever possible.\n* Public disclosure of a vulnerability (either full or partial) is only permitted after the TikTok Team receives a Disclosure Request within the HackerOne platform and the TikTok Team agrees to disclose the report.\n* Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\n* TikTok may redact any sensitive information prior to disclosure.\n\nIf requesting beyond a HackerOne disclosure (e.g. in a blog or at a conference):\n* Request approval before commencing a write up.\n* Share your final blog edits and where the content is to be hosted with TikTok for approval.\n* Do not publicly disclose information until you have explicit written consent to do so from TikTok.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection, unsafe deserialization, exploitable memory corruption  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Program Exclusions\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions or requiring multiple user interactions.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* Self-XSS, which includes any payload entered by the victim\n* HTML Injection with no actual harm or that require unlikely user interaction\n\n# Known Issues\nPlease note that these known issues will not be accepted:\n* Cross-Site Request Forgery (CSRF)  findings reported after 5th July, 2023 on all TikTok products.\n* Insecure Direct Object Reference (IDOR)/Privilege Escalation/Improper Access Control  findings reported after 13th March, 2024 on all TikTok Partner Shop API \n* All access control / privilege escalation / IDOR issues related to \"Tiktok Subscription\" feature in all Tiktok assets  reported after 7th July, 2024\n* All access control / privilege escalation / IDOR issues related to \"Ads Creative One / Ads Business Center\" feature  reported after 16 December 2024\n\n\nWe are working on a fix for the above issues and seek your kind patience.\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":\"Tiktok does not currently pay out on every IDOR finding with unpredictable ID's. Our acceptance and associated bounty will be determined by the Bug Bounty Program team based on the complexity of the ID. \"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-02-11T05:25:33.943Z"},{"id":3747678,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nTikTok supports public recognition and disclosure of contributions and findings for in-scope reports closed as resolved. We will seek to allow participants to be publicly recognized whenever possible.\n* Public disclosure of a vulnerability (either full or partial) is only permitted after the TikTok Team receives a Disclosure Request within the HackerOne platform and the TikTok Team agrees to disclose the report.\n* Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\n* TikTok may redact any sensitive information prior to disclosure.\n\nIf requesting beyond a HackerOne disclosure (e.g. in a blog or at a conference):\n* Request approval before commencing a write up.\n* Share your final blog edits and where the content is to be hosted with TikTok for approval.\n* Do not publicly disclose information until you have explicit written consent to do so from TikTok.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection, unsafe deserialization, exploitable memory corruption  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Program Exclusions\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions or requiring multiple user interactions.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* Self-XSS, which includes any payload entered by the victim\n* HTML Injection with no actual harm or that require unlikely user interaction\n\n# Known Issues\nPlease note that these known issues will not be accepted:\n* Cross-Site Request Forgery (CSRF)  findings reported after 5th July, 2023 on all TikTok products.\n* Insecure Direct Object Reference (IDOR)/Privilege Escalation/Improper Access Control  findings reported after 13th March, 2024 on all TikTok Partner Shop API \n* All access control / privilege escalation / IDOR issues related to \"Tiktok Subscription\" feature in all Tiktok assets  reported after 7th July, 2024\n* All access control / privilege escalation / IDOR issues related to \"Ads Creative One / Ads Business Center\" feature  reported after 16 December 2024\n\n\nWe are working on a fix for the above issues and seek your kind patience.\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":\"Tiktok does not currently pay out on every IDOR finding with unpredictable ID's. Our acceptance and associated bounty will be determined by the Bug Bounty Program team based on the complexity of the ID. \"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-08T22:51:21.946Z"},{"id":3746705,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nTikTok supports public recognition and disclosure of contributions and findings for in-scope reports closed as resolved. We will seek to allow participants to be publicly recognized whenever possible.\n* Public disclosure of a vulnerability (either full or partial) is only permitted after the TikTok Team receives a Disclosure Request within the HackerOne platform and the TikTok Team agrees to disclose the report.\n* Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\n* TikTok may redact any sensitive information prior to disclosure.\n\nIf requesting beyond a HackerOne disclosure (e.g. in a blog or at a conference):\n* Request approval before commencing a write up.\n* Share your final blog edits and where the content is to be hosted with TikTok for approval.\n* Do not publicly disclose information until you have explicit written consent to do so from TikTok.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection, unsafe deserialization, exploitable memory corruption  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Program Exclusions\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions or requiring multiple user interactions.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* Self-XSS, which includes any payload entered by the victim\n* HTML Injection with no actual harm or that require unlikely user interaction\n\n# Known Issues\nPlease note that these known issues will not be accepted:\n* Cross-Site Request Forgery (CSRF)  findings reported after 5th July, 2023 on all TikTok products.\n* Insecure Direct Object Reference (IDOR)/Privilege Escalation/Improper Access Control  findings reported after 26th January, 2024 on all TikTok Seller Products.\n* Insecure Direct Object Reference (IDOR)/Privilege Escalation/Improper Access Control  findings reported after 13th March, 2024 on all TikTok Partner Shop API \n* All access control / privilege escalation / IDOR issues related to \"Tiktok Subscription\" feature in all Tiktok assets  reported after 7th July, 2024\n* All access control / privilege escalation / IDOR issues related to \"Ads Creative One / Ads Business Center\" feature  reported after 16 December 2024\n\n\nWe are working on a fix for the above issues and seek your kind patience.\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":\"Tiktok does not currently pay out on every IDOR finding with unpredictable ID's. Our acceptance and associated bounty will be determined by the Bug Bounty Program team based on the complexity of the ID. \"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-12-17T03:07:14.440Z"},{"id":3745039,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nTikTok supports public recognition and disclosure of contributions and findings for in-scope reports closed as resolved. We will seek to allow participants to be publicly recognized whenever possible.\n* Public disclosure of a vulnerability (either full or partial) is only permitted after the TikTok Team receives a Disclosure Request within the HackerOne platform and the TikTok Team agrees to disclose the report.\n* Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\n* TikTok may redact any sensitive information prior to disclosure.\n\nIf requesting beyond a HackerOne disclosure (e.g. in a blog or at a conference):\n* Request approval before commencing a write up.\n* Share your final blog edits and where the content is to be hosted with TikTok for approval.\n* Do not publicly disclose information until you have explicit written consent to do so from TikTok.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection, unsafe deserialization, exploitable memory corruption  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Program Exclusions\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions or requiring multiple user interactions.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* Self-XSS, which includes any payload entered by the victim\n* HTML Injection with no actual harm or that require unlikely user interaction\n\n# Known Issues\nPlease note that these known issues will not be accepted:\n* Cross-Site Request Forgery (CSRF)  findings reported after 5th July, 2023 on all TikTok products.\n* Insecure Direct Object Reference (IDOR)/Privilege Escalation/Improper Access Control  findings reported after 26th January, 2024 on all TikTok Seller Products.\n* Insecure Direct Object Reference (IDOR)/Privilege Escalation/Improper Access Control  findings reported after 13th March, 2024 on all TikTok Partner Shop API \n* All access control / privilege escalation / IDOR issues related to \"Tiktok Subscription\" feature in all Tiktok assets  reported after 7th July, 2024\n\n\nWe are working on a fix for the above issues and seek your kind patience.\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":\"Tiktok does not currently pay out on every IDOR finding with unpredictable ID's. Our acceptance and associated bounty will be determined by the Bug Bounty Program team based on the complexity of the ID. \"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-21T20:33:59.598Z"},{"id":3739759,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nTikTok supports public recognition and disclosure of contributions and findings for in-scope reports closed as resolved. We will seek to allow participants to be publicly recognized whenever possible.\n* Public disclosure of a vulnerability (either full or partial) is only permitted after the TikTok Team receives a Disclosure Request within the HackerOne platform and the TikTok Team agrees to disclose the report.\n* Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\n* TikTok may redact any sensitive information prior to disclosure.\n\nIf requesting beyond a HackerOne disclosure (e.g. in a blog or at a conference):\n* Request approval before commencing a write up.\n* Share your final blog edits and where the content is to be hosted with TikTok for approval.\n* Do not publicly disclose information until you have explicit written consent to do so from TikTok.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection, unsafe deserialization, exploitable memory corruption  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| HTML injections (w/o XSS), XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Program Exclusions\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions or requiring multiple user interactions.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* Self-XSS, which includes any payload entered by the victim\n\n# Known Issues\nPlease note that these known issues will not be accepted:\n* Cross-Site Request Forgery (CSRF)  findings reported after 5th July, 2023 on all TikTok products.\n* Insecure Direct Object Reference (IDOR)/Privilege Escalation/Improper Access Control  findings reported after 26th January, 2024 on all TikTok Seller Products.\n* Insecure Direct Object Reference (IDOR)/Privilege Escalation/Improper Access Control  findings reported after 13th March, 2024 on all TikTok Partner Shop API \n* All access control / privilege escalation / IDOR issues related to \"Tiktok Subscription\" feature in all Tiktok assets  reported after 7th July, 2024\n\n\nWe are working on a fix for the above issues and seek your kind patience.\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":\"Tiktok does not currently pay out on every IDOR finding with unpredictable ID's. Our acceptance and associated bounty will be determined by the Bug Bounty Program team based on the complexity of the ID. \"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-19T05:47:52.838Z"},{"id":3731678,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nTikTok supports public recognition and disclosure of contributions and findings for in-scope reports closed as resolved. We will seek to allow participants to be publicly recognized whenever possible.\n* Public disclosure of a vulnerability (either full or partial) is only permitted after the TikTok Team receives a Disclosure Request within the HackerOne platform and the TikTok Team agrees to disclose the report.\n* Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\n* TikTok may redact any sensitive information prior to disclosure.\n\nIf requesting beyond a HackerOne disclosure (e.g. in a blog or at a conference):\n* Request approval before commencing a write up.\n* Share your final blog edits and where the content is to be hosted with TikTok for approval.\n* Do not publicly disclose information until you have explicit written consent to do so from TikTok.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection, unsafe deserialization, exploitable memory corruption  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| HTML injections (w/o XSS), XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Program Exclusions\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions or requiring multiple user interactions.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* Self-XSS, which includes any payload entered by the victim\n\n# Known Issues\nPlease note that these known issues will not be accepted:\n* Cross-Site Request Forgery (CSRF)  findings reported after 5th July, 2023 on all TikTok products.\n* Insecure Direct Object Reference (IDOR)/Privilege Escalation/Improper Access Control  findings reported after 26th January, 2024 on all TikTok Seller Products.\n* Insecure Direct Object Reference (IDOR)/Privilege Escalation/Improper Access Control  findings reported after 13th March, 2024 on all TikTok Partner Shop API \n* All access control / privilege escalation / IDOR issues related to \"Tiktok Subscription\" feature in all Tiktok assets  reported after 7th July, 2024\n\n\nWe are working on a fix for the above issues and seek your kind patience.\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-08T04:27:33.518Z"},{"id":3731677,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nTikTok supports public recognition and disclosure of contributions and findings for in-scope reports closed as resolved. We will seek to allow participants to be publicly recognized whenever possible.\n* Public disclosure of a vulnerability (either full or partial) is only permitted after the TikTok Team receives a Disclosure Request within the HackerOne platform and the TikTok Team agrees to disclose the report.\n* Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\n* TikTok may redact any sensitive information prior to disclosure.\n\nIf requesting beyond a HackerOne disclosure (e.g. in a blog or at a conference):\n* Request approval before commencing a write up.\n* Share your final blog edits and where the content is to be hosted with TikTok for approval.\n* Do not publicly disclose information until you have explicit written consent to do so from TikTok.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection, unsafe deserialization, exploitable memory corruption  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| HTML injections (w/o XSS), XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Program Exclusions\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions or requiring multiple user interactions.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* Self-XSS, which includes any payload entered by the victim\n\n# Known Issues\nPlease note that these known issues will not be accepted:\n* Cross-Site Request Forgery (CSRF)  findings reported after 5th July, 2023 on all TikTok products.\n* Insecure Direct Object Reference (IDOR)/Privilege Escalation/Improper Access Control  findings reported after 26th January, 2024 on all TikTok Seller Products.\n* Insecure Direct Object Reference (IDOR)/Privilege Escalation/Improper Access Control  findings reported after 13th March, 2024 on all TikTok Partner Shop API \n* All access control / privilege escalation / IDOR issues related to \"Tiktok Subscription\" feature in all Tiktok assets  reported after 7th July 2024\n\n\nWe are working on a fix for the above issues and seek your kind patience.\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-08T04:27:23.984Z"},{"id":3714558,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nTikTok supports public recognition and disclosure of contributions and findings for in-scope reports closed as resolved. We will seek to allow participants to be publicly recognized whenever possible.\n* Public disclosure of a vulnerability (either full or partial) is only permitted after the TikTok Team receives a Disclosure Request within the HackerOne platform and the TikTok Team agrees to disclose the report.\n* Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\n* TikTok may redact any sensitive information prior to disclosure.\n\nIf requesting beyond a HackerOne disclosure (e.g. in a blog or at a conference):\n* Request approval before commencing a write up.\n* Share your final blog edits and where the content is to be hosted with TikTok for approval.\n* Do not publicly disclose information until you have explicit written consent to do so from TikTok.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection, unsafe deserialization, exploitable memory corruption  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| HTML injections (w/o XSS), XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Program Exclusions\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions or requiring multiple user interactions.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* Self-XSS, which includes any payload entered by the victim\n\n# Known Issues\nPlease note that these known issues will not be accepted:\n* Cross-Site Request Forgery (CSRF)  findings reported after 5th July, 2023 on all TikTok products.\n* Insecure Direct Object Reference (IDOR)/Privilege Escalation/Improper Access Control  findings reported after 26th January, 2024 on all TikTok Seller Products.\n* Insecure Direct Object Reference (IDOR)/Privilege Escalation/Improper Access Control  findings reported after 13th March, 2024 on all TikTok Partner Shop API \n\n\nWe are working on a fix for the above issues and seek your kind patience.\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-14T03:40:01.525Z"},{"id":3711615,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nTikTok supports public recognition and disclosure of contributions and findings for in-scope reports closed as resolved. We will seek to allow participants to be publicly recognized whenever possible.\n* Public disclosure of a vulnerability (either full or partial) is only permitted after the TikTok Team receives a Disclosure Request within the HackerOne platform and the TikTok Team agrees to disclose the report.\n* Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\n* TikTok may redact any sensitive information prior to disclosure.\n\nIf requesting beyond a HackerOne disclosure (e.g. in a blog or at a conference):\n* Request approval before commencing a write up.\n* Share your final blog edits and where the content is to be hosted with TikTok for approval.\n* Do not publicly disclose information until you have explicit written consent to do so from TikTok.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection, unsafe deserialization, exploitable memory corruption  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| HTML injections (w/o XSS), XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Program Exclusions\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions or requiring multiple user interactions.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* Self-XSS, which includes any payload entered by the victim\n\n# Known Issues\nPlease note that these known issues will not be accepted:\n* Cross-Site Request Forgery (CSRF)  findings reported after 5th July, 2023 on all TikTok products.\n* Insecure Direct Object Reference (IDOR)/Privilege Escalation/Improper Access Control  findings reported after 26th January, 2024 on all TikTok Seller Products.\n\nWe are working on a fix for the above issues and seek your kind patience.\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-27T02:42:29.872Z"},{"id":3706828,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nTikTok supports public recognition and disclosure of contributions and findings for in-scope reports closed as resolved. We will seek to allow participants to be publicly recognized whenever possible.\n* Public disclosure of a vulnerability (either full or partial) is only permitted after the TikTok Team receives a Disclosure Request within the HackerOne platform and the TikTok Team agrees to disclose the report.\n* Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\n* TikTok may redact any sensitive information prior to disclosure.\n\nIf requesting beyond a HackerOne disclosure (e.g. in a blog or at a conference):\n* Request approval before commencing a write up.\n* Share your final blog edits and where the content is to be hosted with TikTok for approval.\n* Do not publicly disclose information until you have explicit written consent to do so from TikTok.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection, unsafe deserialization, exploitable memory corruption  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| HTML injections (w/o XSS), XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Program Exclusions\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions or requiring multiple user interactions.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* Self-XSS, which includes any payload entered by the victim\n\n# Known Issues\nPlease note that these known issues will not be accepted:\n* Cross-Site Request Forgery (CSRF)  findings reported after 5th July, 2023 on all TikTok products.\n\nWe are working on a fix for the above issues and seek your kind patience.\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-11-08T18:24:39.781Z"},{"id":3690398,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nTikTok supports public recognition and disclosure of contributions and findings for in-scope reports closed as resolved. We will seek to allow participants to be publicly recognized whenever possible.\n* Public disclosure of a vulnerability (either full or partial) is only permitted after the TikTok Team receives a Disclosure Request within the HackerOne platform and the TikTok Team agrees to disclose the report.\n* Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\n* TikTok may redact any sensitive information prior to disclosure.\n\nIf requesting beyond a HackerOne disclosure (e.g. in a blog or at a conference):\n* Request approval before commencing a write up.\n* Share your final blog edits and where the content is to be hosted with TikTok for approval.\n* Do not publicly disclose information until you have explicit written consent to do so from TikTok.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload, unsafe deserialization, exploitable memory corruption | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| HTML injections (w/o XSS), XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Program Exclusions\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions or requiring multiple user interactions.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* Self-XSS, which includes any payload entered by the victim\n\n# Known Issues\nPlease note that these known issues will not be accepted:\n* Cross-Site Request Forgery (CSRF)  findings reported after 5th July, 2023 on all TikTok products.\n\nWe are working on a fix for the above issues and seek your kind patience.\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-07-05T15:22:02.631Z"},{"id":3689823,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nTikTok supports public recognition and disclosure of contributions and findings for in-scope reports closed as resolved. We will seek to allow participants to be publicly recognized whenever possible.\n* Public disclosure of a vulnerability (either full or partial) is only permitted after the TikTok Team receives a Disclosure Request within the HackerOne platform and the TikTok Team agrees to disclose the report.\n* Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\n* TikTok may redact any sensitive information prior to disclosure.\n\nIf requesting beyond a HackerOne disclosure (e.g. in a blog or at a conference):\n* Request approval before commencing a write up.\n* Share your final blog edits and where the content is to be hosted with TikTok for approval.\n* Do not publicly disclose information until you have explicit written consent to do so from TikTok.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload, unsafe deserialization, exploitable memory corruption | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| HTML injections (w/o XSS), XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Program Exclusions\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions or requiring multiple user interactions.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* Self-XSS, which includes any payload entered by the victim\n\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-23T11:42:38.251Z"},{"id":3685214,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nTikTok supports public recognition and disclosure of contributions and findings for in-scope reports closed as resolved. We will seek to allow participants to be publicly recognized whenever possible.\n* Public disclosure of a vulnerability (either full or partial) is only permitted after the TikTok Team receives a Disclosure Request within the HackerOne platform and the TikTok Team agrees to disclose the report.\n* Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\n* TikTok may redact any sensitive information prior to disclosure.\n\nIf requesting beyond a HackerOne disclosure (e.g. in a blog or at a conference):\n* Request approval before commencing a write up.\n* Share your final blog edits and where the content is to be hosted with TikTok for approval.\n* Do not publicly disclose information until you have explicit written consent to do so from TikTok.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload, unsafe deserialization, exploitable memory corruption | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| HTML injections (w/o XSS), XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Program Exclusions\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* CSRF issues on seller-id.tiktok.com domain will be temporarily out of scope (Starting Nov 23, 2021) as the team is working on the fix.\n* Self-XSS, which includes any payload entered by the victim\n\n\n# Known Issues\nPlease note that these known issues will not be eligible for bounties:\n* Cross-Site Request Forgery (CSRF) issues on TikTok Web App/TikTok Mobile App.\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-22T14:45:22.565Z"},{"id":3676654,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nTikTok supports public recognition and disclosure of contributions and findings for in-scope reports closed as resolved. We will seek to allow participants to be publicly recognized whenever possible.\n* Public disclosure of a vulnerability (either full or partial) is only permitted after the TikTok Team receives a Disclosure Request within the HackerOne platform and the TikTok Team agrees to disclose the report.\n* Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\n* TikTok may redact any sensitive information prior to disclosure.\n\nIf requesting beyond a HackerOne disclosure (e.g. in a blog or at a conference):\n* Request approval before commencing a write up.\n* Share your final blog edits and where the content is to be hosted with TikTok for approval.\n* Do not publicly disclose information until you have explicit written consent to do so from TikTok.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload, unsafe deserialization, exploitable memory corruption | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| HTML injections (w/o XSS), XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Not Eligible for Reward\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* CSRF issues on seller-id.tiktok.com domain will be temporarily out of scope (Starting Nov 23, 2021) as the team is working on the fix.\n* Self-XSS, which includes any payload entered by the victim\n\n\n# Known Issues\nPlease note that these known issues will not be eligible for bounties:\n* Cross-Site Request Forgery (CSRF) issues on TikTok Web App/TikTok Mobile App.\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-08-26T15:24:53.377Z"},{"id":3674747,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nWe support public recognition and disclosure of contributions and findings for those participants who desire. We will seek to allow participants to be publicly recognized whenever possible. Public disclosure of a vulnerability (either full or partial) is allowed after being coordinated with TikTok and disclosed on HackerOne. If 180 days have elapsed with the TikTok Team not providing a vulnerability disclosure timeline, the contents of the report may be publicly disclosed by the reporter. Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\nIf requesting beyond limited HackerOne disclosure (e.g. in a blog or at a conference), please share your blog post or presentation with us prior to the publication.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload, unsafe deserialization, exploitable memory corruption | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| HTML injections (w/o XSS), XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Not Eligible for Reward\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* CSRF issues on seller-id.tiktok.com domain will be temporarily out of scope (Starting Nov 23, 2021) as the team is working on the fix.\n* Self-XSS, which includes any payload entered by the victim\n\n\n# Known Issues\nPlease note that these known issues will not be eligible for bounties:\n* Cross-Site Request Forgery (CSRF) issues on TikTok Web App/TikTok Mobile App.\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-07-20T15:06:03.675Z"},{"id":3671974,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nWe support public recognition and disclosure of contributions and findings for those participants who desire. We will seek to allow participants to be publicly recognized whenever possible. Public disclosure of a vulnerability (either full or partial) is allowed after being coordinated with TikTok and disclosed on HackerOne. If 180 days have elapsed with the TikTok Team not providing a vulnerability disclosure timeline, the contents of the report may be publicly disclosed by the reporter. Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\nIf you wish to disclose your findings outside of the HackerOne platform (e.g. in a blog or at a conference), we encourage you to share your blog post or presentation with us prior to the publication.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload, unsafe deserialization, exploitable memory corruption | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| HTML injections (w/o XSS), XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Not Eligible for Reward\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* CSRF issues on seller-id.tiktok.com domain will be temporarily out of scope (Starting Nov 23, 2021) as the team is working on the fix.\n* Self-XSS, which includes any payload entered by the victim\n\n\n# Known Issues\nPlease note that these known issues will not be eligible for bounties:\n* Cross-Site Request Forgery (CSRF) issues on TikTok Web App/TikTok Mobile App.\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-05-25T09:38:31.393Z"},{"id":3671113,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nWe support public recognition and disclosure of contributions and findings for those participants who desire. We will seek to allow participants to be publicly recognized whenever possible. Public disclosure of a vulnerability (either full or partial) is allowed after being coordinated with TikTok and disclosed on HackerOne. If 180 days have elapsed with the TikTok Team not providing a vulnerability disclosure timeline, the contents of the report may be publicly disclosed by the reporter. Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\nIf you wish to disclose your findings outside of the HackerOne platform (e.g. in a blog or at a conference), we encourage you to share your blog post or presentation with us prior to the publication.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload, unsafe deserialization, exploitable memory corruption | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| HTML injections (w/o XSS), XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Not Eligible for Reward\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* CSRF issues on seller-id.tiktok.com domain will be temporarily out of scope (Starting Nov 23, 2021) as the team is working on the fix\n\n# Known Issues\nPlease note that these known issues will not be eligible for bounties:\n* Cross-Site Request Forgery (CSRF) issues on TikTok Web App/TikTok Mobile App.\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-05-11T08:52:23.092Z"},{"id":3666624,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nWe support public recognition and disclosure of contributions and findings for those participants who desire. We will seek to allow participants to be publicly recognized whenever possible. Public disclosure of a vulnerability (either full or partial) is allowed after being coordinated with TikTok and disclosed on HackerOne. If 180 days have elapsed with the TikTok Team not providing a vulnerability disclosure timeline, the contents of the report may be publicly disclosed by the reporter. Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\nIf you wish to disclose your findings outside of the HackerOne platform (e.g. in a blog or at a conference), we encourage you to share your blog post or presentation with us prior to the publication.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload, unsafe deserialization, exploitable memory corruption | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| HTML injections (w/o XSS), XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Not Eligible for Reward\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* CSRF issues on seller-id.tiktok.com domain will be temporarily out of scope (Starting Nov 23, 2021) as the team is working on the fix\n\n# Known Issues\nPlease note that these known issues will not be eligible for bounties:\n* Cross-Site Request Forgery (CSRF) issues on *.tiktokv.com domain (Starting Feb 15, 2022)\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-16T10:11:15.310Z"},{"id":3663293,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Testing Notes\n* Where possible, register accounts using your \u003cusername\u003e+x@wearehackerone.com addresses. \n* Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n* For valid Proof of Concept please include your HackerOne username in the file name and file content as a comment in the markup. \n\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nWe support public recognition and disclosure of contributions and findings for those participants who desire. We will seek to allow participants to be publicly recognized whenever possible. Public disclosure of a vulnerability (either full or partial) is allowed after being coordinated with TikTok and disclosed on HackerOne. If 180 days have elapsed with the TikTok Team not providing a vulnerability disclosure timeline, the contents of the report may be publicly disclosed by the reporter. Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\nIf you wish to disclose your findings outside of the HackerOne platform (e.g. in a blog or at a conference), we encourage you to share your blog post or presentation with us prior to the publication.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload, unsafe deserialization, exploitable memory corruption | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| HTML injections (w/o XSS), XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Not Eligible for Reward\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* CSRF issues on seller-id.tiktok.com domain will be temporarily out of scope (Starting Nov 23, 2021) as the team is working on the fix\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-21T22:13:16.779Z"},{"id":3663191,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nWe support public recognition and disclosure of contributions and findings for those participants who desire. We will seek to allow participants to be publicly recognized whenever possible. Public disclosure of a vulnerability (either full or partial) is allowed after being coordinated with TikTok and disclosed on HackerOne. If 180 days have elapsed with the TikTok Team not providing a vulnerability disclosure timeline, the contents of the report may be publicly disclosed by the reporter. Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\nIf you wish to disclose your findings outside of the HackerOne platform (e.g. in a blog or at a conference), we encourage you to share your blog post or presentation with us prior to the publication.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload, unsafe deserialization, exploitable memory corruption | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| HTML injections (w/o XSS), XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Not Eligible for Reward\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* CSRF issues on seller-id.tiktok.com domain will be temporarily out of scope (Starting Nov 23, 2021) as the team is working on the fix\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-20T12:24:20.216Z"},{"id":3662181,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nWe support public recognition and disclosure of contributions and findings for those participants who desire. We will seek to allow participants to be publicly recognized whenever possible. Public disclosure of a vulnerability (either full or partial) is allowed after being coordinated with TikTok and disclosed on HackerOne. If 180 days have elapsed with the TikTok Team not providing a vulnerability disclosure timeline, the contents of the report may be publicly disclosed by the reporter. Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\nIf you wish to disclose your findings outside of the HackerOne platform (e.g. in a blog or at a conference), we encourage you to share your blog post or presentation with us prior to the publication.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload, unsafe deserialization, exploitable memory corruption | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| HTML injections (w/o XSS), XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Not Eligible for Reward\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* CSRF issues on *.tiktokv.com domain will be temporarily out of scope (Starting Aug 19, 2021)\n* CSRF issues on seller-id.tiktok.com domain will be temporarily out of scope (Starting Nov 23, 2021) as the team is working on the fix\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-24T22:29:14.205Z"},{"id":3660331,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nWe support public recognition and disclosure of contributions and findings for those participants who desire. We will seek to allow participants to be publicly recognized whenever possible. Public disclosure of a vulnerability (either full or partial) is allowed after being coordinated with TikTok and disclosed on HackerOne. If 180 days have elapsed with the TikTok Team not providing a vulnerability disclosure timeline, the contents of the report may be publicly disclosed by the reporter. Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\nIf you wish to disclose your findings outside of the HackerOne platform (e.g. in a blog or at a conference), we encourage you to share your blog post or presentation with us prior to the publication.\n\n# Rewards \n| Vulnerability   | Severity \n|---------------------------\t|-----------------------  |\n| Remote Code Execution, Command injection, shell upload, unsafe deserialization, exploitable memory corruption | Critical |\n| SQL Injection, XML External Entity Injection (XXE), Command injection  | High - Critical |\n| Leaked Credential, Cryptographic flaw | Medium - High |\n| Cross-Site Scripting (XSS) | Medium - High |\n| Server-Side Request Forgery | Medium - High |\n| Directory Traversal | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| File Inclusion | Medium - Critical |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration/ Open Redirect | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - High |\n| Information Disclosure | Low - Medium |\n| Subdomain takeover | Medium - High |\n| HTML injections (w/o XSS), XSS on harmless subdomains, attacks requiring unlikely user interaction | Low - Medium |\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Not Eligible for Reward\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* CSRF issues on *.tiktokv.com domain will be temporarily out of scope (Starting Aug 19, 2021)\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-10-21T01:33:19.057Z"},{"id":3657141,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nWe support public recognition and disclosure of contributions and findings for those participants who desire. We will seek to allow participants to be publicly recognized whenever possible. Public disclosure of a vulnerability (either full or partial) is allowed after being coordinated with TikTok and disclosed on HackerOne. If 180 days have elapsed with the TikTok Team not providing a vulnerability disclosure timeline, the contents of the report may be publicly disclosed by the reporter. Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\nIf you wish to disclose your findings outside of the HackerOne platform (e.g. in a blog or at a conference), we encourage you to share your blog post or presentation with us prior to the publication.\n\n# Rewards \n##**Vulnerabilities allowing attacks against server**\n| Category    | Examples           | Baseline Amount \n|---------------------------\t|----------   |----------  |----------\n| Remote Code Execution | Command injection, shell upload, unsafe deserialization, exploitable memory corruption, privilege escalation     | $15,000    \n| Data Access / Injections  | SQL-injection, XXE attack, local/remote file inclusion, auth bypass    | $10,000   \n| Security Control Bypass, Logical Flow, Other | IDOR, memory leak, storage access, SSRF       | $250-$7,500  \n\n##**Vulnerabilities allowing attacks against client**\n| Category    | Examples           | Baseline Amount \n|---------------------------\t|----------   |----------  |----------\n| Arbitrary Remote Code Execution | Command injection, library overwrite, exploitable memory corruption, privilege escalation   | $15,000    \n| Script Code Execution | XSS on the Web, script injection for the mobile apps   | $1,337-$7,500\n| Sensitive Information Disclosure or Other | CSRF, HTML injections (w/o XSS), client information disclosure, attacks requiring unlikely user interaction  | $250-$5,000\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Not Eligible for Reward\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* CSRF issues on *.tiktokv.com domain will be temporarily out of scope (Starting Aug 19, 2021)\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-08-19T20:57:22.020Z"},{"id":3657140,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nWe support public recognition and disclosure of contributions and findings for those participants who desire. We will seek to allow participants to be publicly recognized whenever possible. Public disclosure of a vulnerability (either full or partial) is allowed after being coordinated with TikTok and disclosed on HackerOne. If 180 days have elapsed with the TikTok Team not providing a vulnerability disclosure timeline, the contents of the report may be publicly disclosed by the reporter. Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\nIf you wish to disclose your findings outside of the HackerOne platform (e.g. in a blog or at a conference), we encourage you to share your blog post or presentation with us prior to the publication.\n\n# Rewards \n##**Vulnerabilities allowing attacks against server**\n| Category    | Examples           | Baseline Amount \n|---------------------------\t|----------   |----------  |----------\n| Remote Code Execution | Command injection, shell upload, unsafe deserialization, exploitable memory corruption, privilege escalation     | $15,000    \n| Data Access / Injections  | SQL-injection, XXE attack, local/remote file inclusion, auth bypass    | $10,000   \n| Security Control Bypass, Logical Flow, Other | IDOR, memory leak, storage access, SSRF       | $250-$7,500  \n\n##**Vulnerabilities allowing attacks against client**\n| Category    | Examples           | Baseline Amount \n|---------------------------\t|----------   |----------  |----------\n| Arbitrary Remote Code Execution | Command injection, library overwrite, exploitable memory corruption, privilege escalation   | $15,000    \n| Script Code Execution | XSS on the Web, script injection for the mobile apps   | $1,337-$7,500\n| Sensitive Information Disclosure or Other | CSRF, HTML injections (w/o XSS), client information disclosure, attacks requiring unlikely user interaction  | $250-$5,000\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Not Eligible for Reward\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n* Starting Aug 19, 2021 CSRF issues on *.tiktokv.com domain will be temporarily out of scope\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-08-19T20:55:49.354Z"},{"id":3656782,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nWe support public recognition and disclosure of contributions and findings for those participants who desire. We will seek to allow participants to be publicly recognized whenever possible. Public disclosure of a vulnerability (either full or partial) is allowed after being coordinated with TikTok and disclosed on HackerOne. If 180 days have elapsed with the TikTok Team not providing a vulnerability disclosure timeline, the contents of the report may be publicly disclosed by the reporter. Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\nIf you wish to disclose your findings outside of the HackerOne platform (e.g. in a blog or at a conference), we encourage you to share your blog post or presentation with us prior to the publication.\n\n# Rewards \n##**Vulnerabilities allowing attacks against server**\n| Category    | Examples           | Baseline Amount \n|---------------------------\t|----------   |----------  |----------\n| Remote Code Execution | Command injection, shell upload, unsafe deserialization, exploitable memory corruption, privilege escalation     | $15,000    \n| Data Access / Injections  | SQL-injection, XXE attack, local/remote file inclusion, auth bypass    | $10,000   \n| Security Control Bypass, Logical Flow, Other | IDOR, memory leak, storage access, SSRF       | $250-$7,500  \n\n##**Vulnerabilities allowing attacks against client**\n| Category    | Examples           | Baseline Amount \n|---------------------------\t|----------   |----------  |----------\n| Arbitrary Remote Code Execution | Command injection, library overwrite, exploitable memory corruption, privilege escalation   | $15,000    \n| Script Code Execution | XSS on the Web, script injection for the mobile apps   | $1,337-$7,500\n| Sensitive Information Disclosure or Other | CSRF, HTML injections (w/o XSS), client information disclosure, attacks requiring unlikely user interaction  | $250-$5,000\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Not Eligible for Reward\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-08-12T22:13:02.532Z"},{"id":3656349,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nWe support public recognition and disclosure of contributions and findings for those participants who desire. We will seek to allow participants to be publicly recognized whenever possible. Public disclosure of a vulnerability (either full or partial) is allowed after being coordinated with TikTok and disclosed on HackerOne. If 180 days have elapsed with the TikTok Team not providing a vulnerability disclosure timeline, the contents of the report may be publicly disclosed by the reporter. Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\nIf you wish to disclose your findings outside of the HackerOne platform (e.g. in a blog or at a conference), we encourage you to share your blog post or presentation with us prior to the publication.\n\n# Rewards \n##**Vulnerabilities allowing attacks against server**\n| Category    | Examples           | Baseline Amount \n|---------------------------\t|----------   |----------  |----------\n| Remote Code Execution | Command injection, shell upload, unsafe deserialization, exploitable memory corruption, privilege escalation     | $15,000    \n| Data Access / Injections  | SQL-injection, XXE attack, local/remote file inclusion, auth bypass    | $10,000   \n| Security Control Bypass, Logical Flow, Other | IDOR, memory leak, storage access, SSRF       | $250-$7,500  \n\n##**Vulnerabilities allowing attacks against client**\n| Category    | Examples           | Baseline Amount \n|---------------------------\t|----------   |----------  |----------\n| Arbitrary Remote Code Execution | Command injection, library overwrite, exploitable memory corruption, privilege escalation   | $15,000    \n| Script Code Execution (allowing access to the user account) | XSS on the Web, script injection for the mobile apps   | $7,500 \n| Sensitive Information Disclosure or Other | CSRF, HTML injections (w/o XSS), client information disclosure, attacks requiring unlikely user interaction  | $250-$5,000\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Not Eligible for Reward\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-08-06T20:41:49.866Z"},{"id":3656204,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nWe support public recognition and disclosure of contributions and findings for those participants who desire. We will seek to allow participants to be publicly recognized whenever possible. Public disclosure of a vulnerability (either full or partial) is allowed after being coordinated with TikTok and disclosed on HackerOne. If 180 days have elapsed with the TikTok Team not providing a vulnerability disclosure timeline, the contents of the report may be publicly disclosed by the reporter. Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\nIf you wish to disclose your findings outside of the HackerOne platform (e.g. in a blog or at a conference), we encourage you to share your blog post or presentation with us prior to the publication.\n\n# Rewards \n##**Vulnerabilities allowing attacks against server**\n| Category    | Examples           | Baseline Amount \n|---------------------------\t|----------   |----------  |----------\n| Remote Code Execution | Command injection, shell upload, unsafe deserialization, exploitable memory corruption, privilege escalation     | $15,000    \n| Data Access / Injections  | SQL-injection, XXE attack, local/remote file inclusion, auth bypass    | $10,000   \n| Security Control Bypass, Logical Flow, Other | IDOR, memory leak, storage access, SSRF       | $250-$5,000  \n\n##**Vulnerabilities allowing attacks against client**\n| Category    | Examples           | Baseline Amount \n|---------------------------\t|----------   |----------  |----------\n| Arbitrary Remote Code Execution | Command injection, library overwrite, exploitable memory corruption, privilege escalation   | $15,000    \n| Script Code Execution (allowing access to the user account) | XSS on the Web, script injection for the mobile apps   | $7,500 \n| Sensitive Information Disclosure or Other | CSRF, HTML injections (w/o XSS), client information disclosure, attacks requiring unlikely user interaction  | $250-$5,000\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Not Eligible for Reward\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-08-04T22:35:03.161Z"},{"id":3656006,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy to our vibrant community. We recognize and value external feedback from the global security research community on potential vulnerabilities which helps strengthen our overall platform security posture. Before submitting a vulnerability report, please review our program policy and terms. We appreciate your contribution and thank you for helping make TikTok a safer place for our community!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. \n* Create test accounts or test content to avoid affecting real users. \n* Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.\n- `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n- `If you encounter TikTok user information during research, stop there and report the issue immediately via HackerOne.`\n* Always read and adhere to [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n* If you have any questions about a particular report, please reach out via the corresponding HackerOne ticket for tracking purposes.\n\n#Asset Priorities\nVulnerabilities will be evaluated based on impact to TikTok systems and certain assets may be of higher impact.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nWe support public recognition and disclosure of contributions and findings for those participants who desire. We will seek to allow participants to be publicly recognized whenever possible. Public disclosure of a vulnerability (either full or partial) is allowed after being coordinated with TikTok and disclosed on HackerOne. If 180 days have elapsed with the TikTok Team not providing a vulnerability disclosure timeline, the contents of the report may be publicly disclosed by the reporter. Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\nIf you wish to disclose your findings outside of the HackerOne platform (e.g. in a blog or at a conference), we encourage you to share your blog post or presentation with us prior to the publication.\n\n# Rewards \n##**Vulnerabilities allowing attacks against server**\n| Category    | Examples           | Baseline Amount \n|---------------------------\t|----------   |----------  |----------\n| Remote Code Execution | Command injection, shell upload, unsafe deserialization, exploitable memory corruption, privilege escalation     | $15,000    \n| Data Access / Injections  | SQL-injection, XXE attack, local/remote file inclusion, auth bypass    | $10,000   \n| Security Control Bypass, Logical Flow, Other | IDOR, memory leak, storage access, SSRF       | $250-$5,000  \n\n##**Vulnerabilities allowing attacks against client**\n| Category    | Examples           | Baseline Amount \n|---------------------------\t|----------   |----------  |----------\n| Arbitrary Remote Code Execution | Command injection, library overwrite, exploitable memory corruption, privilege escalation   | $15,000    \n| Script Code Execution (allowing access to the user account) | XSS on the Web, script injection for the mobile apps   | $7,500 \n| Sensitive Information Disclosure or Other | CSRF, HTML injections (w/o XSS), client information, exploitable server misconfiguration, attacks requiring unlikely user interaction  | $250-$5,000\n\nHigh-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner. \n\nThe criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.\n\n#Not Eligible for Reward\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Subresource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version)\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official disclosure less than 1 month before are on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team)\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not disrupt or compromise any data beyond what our bug bounty program permits.\n\nBe proactive in contacting us before engaging in any action that may violate or is unaddressed by this policy or good faith. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-08-02T23:09:04.002Z"},{"id":3651828,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy. The security and health of our platform closely ties to this mission. Our dedicated security team is ready to respond and resolve issues on our platform.\nWe rely on and value external input that flags technical security issues on our platform. This policy outlines how we work with outside parties to submit these issues. Thank you for helping make TikTok a safer place for all!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners  (or any of our or their users, employees, or contractors, we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Response Targets\nTikTok strives to meet the following response targets for participants in the program (in US business days):\n\n* Time to first response (from successful report submission): 1 business day\n* Time to triage (from successful report submission): 1 business day\n* Time to bounty (from triage): 10 business days\n\nDepending on the complexity of the report and our current report flow, we may take longer to respond. We’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made case by case.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. Create test accounts or test content to avoid affecting real users; do not test vulnerabilities on user accounts that you do not own or have rights to access or control.\n* Do not exploit vulnerabilities beyond a good faith effort to test the issue.\n - `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n - `If you encounter TikTok user information during research, stop there and report immediately to our Bug Bounty team`\n* Do not do anything that breaches our [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n\n#Asset Priorities\nCertain TikTok assets may be of higher impact and vulnerabilities will be evaluated based on impact to TikTok systems.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nWe want participants to be recognized publicly for their contributions, if that is the participant’s desire. We will seek to allow participants to be publicly recognized whenever possible. However, public disclosure of vulnerabilities will only be authorized at the express written consent of TikTok. If 180 days have elapsed with the TikTok Team not providing a vulnerability disclosure timeline, the contents of the Report may be publicly disclosed by the reporter. Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\n\n\n# Rewards \nOur rewards are generally based on the following formula: `12.93 * e ^ (0.695 * CVSS_Score)`\n\nCVSS score will be based upon impact to TikTok applications and CVSS Calculator 3.0. Below are some examples of qualifying vulnerabilities.\n\n|     Severity    | CVSS Range         | Example         |  \n|----------                |------------                |--------                |\n| Critical | 9.0 - 10.0  | RCE in the TikTok app context as well as on the internal server. Scalable (no user-interaction) sensitive information disclosure.   |               \n| High | 7.0 - 8.9  | CSRF, SSRF, XSS, access control flaw, leaked credential, cryptographic flaw, etc. with significant consequences (e.g. account takeover). The exploit may require user interaction (e.g., malicious link affects any user that clicks it).   | \n| Medium | 4.0 - 6.9  | CSRF, SSRF, XSS, access control flaw, leaked credential, cryptographic flaw, etc. with non-trivial consequences (e.g. deleting a comment). The exploit may require non-trivial user interaction (e.g., user needs to be on the same network as attacker).   | \n| Low |  0.1 - 3.9  | Lower severity bugs are usually bugs that would require unlikely circumstances to be able to be exploited, or where a successful exploit would give minimal consequences.   |\n\nThe criteria used to determine reward payout and eligibility are solely in our discretion.\n\n#Not Eligible for Reward\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n**Out of scope vulnerabilities**\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Sub-Resource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered by an internal team)\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not to disrupt or compromise any data beyond what our bug bounty program permits.\n\nContact us before engaging in conduct that may be inconsistent with, or unaddressed by, this policy. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith. Be proactive in contacting us before engaging in any action that may violate this policy or good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-05-03T18:07:17.272Z"},{"id":3645047,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy. The security and health of our platform closely ties to this mission. Our dedicated security team is ready to respond and resolve issues on our platform.\nWe rely on and value external input that flags technical security issues on our platform. This policy outlines how we work with outside parties to submit these issues. Thank you for helping make TikTok a safer place for all!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners  (or any of our or their users, employees, or contractors, we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Response Targets\nTikTok strives to meet the following response targets for participants in the program (in US business days):\n\n* Time to first response (from successful report submission): 1 business day\n* Time to triage (from successful report submission): 1 business day\n* Time to bounty (from triage): 10 business days\n\nDepending on the complexity of the report and our current report flow, we may take longer to respond. We’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made case by case.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. Create test accounts or test content to avoid affecting real users; do not test vulnerabilities on user accounts that you do not own or have rights to access or control.\n* Do not exploit vulnerabilities beyond a good faith effort to test the issue.\n - `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n - `If you encounter TikTok user information during research, stop there and report immediately to our Bug Bounty team`\n* Do not do anything that breaches our [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n\n#Asset Priorities\nCertain TikTok assets may be of higher impact and vulnerabilities will be evaluated based on impact to TikTok systems.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nWe want participants to be recognized publicly for their contributions, if that is the participant’s desire. We will seek to allow participants to be publicly recognized whenever possible. However, public disclosure of vulnerabilities will only be authorized at the express written consent of TikTok. If 180 days have elapsed with the TikTok Team not providing a vulnerability disclosure timeline, the contents of the Report may be publicly disclosed by the reporter. Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\n\n\n# Rewards \nOur rewards are generally based on the following formula: `12.93 * e ^ (0.695 * CVSS_Score)`\n\nCVSS score will be based upon impact to TikTok applications and CVSS Calculator 3.0. Below are some examples of qualifying vulnerabilities.\n\n|     Severity    | CVSS Range         | Example         |  \n|----------                |------------                |--------                |\n| Critical | 9.0 - 10.0  | RCE in the TikTok app context as well as on the internal server. Scalable (no user-interaction) sensitive information disclosure.   |               \n| High | 7.0 - 8.9  | CSRF, SSRF, XSS, access control flaw, leaked credential, cryptographic flaw, etc. with significant consequences (e.g. account takeover). The exploit may require user interaction (e.g., malicious link affects any user that clicks it).   | \n| Medium | 4.0 - 6.9  | CSRF, SSRF, XSS, access control flaw, leaked credential, cryptographic flaw, etc. with non-trivial consequences (e.g. deleting a comment). The exploit may require non-trivial user interaction (e.g., user needs to be on the same network as attacker).   | \n| Low |  0.1 - 3.9  | Lower severity bugs are usually bugs that would require unlikely circumstances to be able to be exploited, or where a successful exploit would give minimal consequences.   |\n\nThe criteria used to determine reward payout and eligibility are solely in our discretion.\n\n#Not Eligible for Reward\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n**Out of scope vulnerabilities**\n* **IDORs related to Ad Account Analyst permissions are temporarily out of scope**\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Sub-Resource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered by an internal team)\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not to disrupt or compromise any data beyond what our bug bounty program permits.\n\nContact us before engaging in conduct that may be inconsistent with, or unaddressed by, this policy. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith. Be proactive in contacting us before engaging in any action that may violate this policy or good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-13T20:17:37.728Z"},{"id":3643668,"new_policy":"#TikTok Bug Bounty Program Policy\nTikTok's mission is to inspire creativity and bring joy. The security and health of our platform closely ties to this mission. Our dedicated security team is ready to respond and resolve issues on our platform.\nWe rely on and value external input that flags technical security issues on our platform. This policy outlines how we work with outside parties to submit these issues. Thank you for helping make TikTok a safer place for all!\n\n#General Program Terms\nBy participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.\n\nIf you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners  (or any of our or their users, employees, or contractors, we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.\n\n# Response Targets\nTikTok strives to meet the following response targets for participants in the program (in US business days):\n\n* Time to first response (from successful report submission): 1 business day\n* Time to triage (from successful report submission): 1 business day\n* Time to bounty (from triage): 10 business days\n\nDepending on the complexity of the report and our current report flow, we may take longer to respond. We’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules and Guidelines\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made case by case.\n* Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.\n* Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.\n* Do not commit privacy violations, destruction of data, or interruption or degradation of our service. Create test accounts or test content to avoid affecting real users; do not test vulnerabilities on user accounts that you do not own or have rights to access or control.\n* Do not exploit vulnerabilities beyond a good faith effort to test the issue.\n - `Example: Do not generate millions of fraudulent \"likes\" for your own videos`\n - `If you encounter TikTok user information during research, stop there and report immediately to our Bug Bounty team`\n* Do not do anything that breaches our [community guidelines](https://www.tiktok.com/community-guidelines), terms of service, or privacy policies.\n\n#Asset Priorities\nCertain TikTok assets may be of higher impact and vulnerabilities will be evaluated based on impact to TikTok systems.\n\nWe currently consider the following assets to be of greater interest:\n\n* Android app: Com.zhiliaoapp.musically\n* Android app: Com.ss.android.ugc.trill\n* iOS app: 835599320\n* iOS app: 1235601864\n* Tiktok.com\n* *.tiktokv.com\n\n# Disclosure and Confidentiality Policy\nWe want participants to be recognized publicly for their contributions, if that is the participant’s desire. We will seek to allow participants to be publicly recognized whenever possible. However, public disclosure of vulnerabilities will only be authorized at the express written consent of TikTok. If 180 days have elapsed with the TikTok Team not providing a vulnerability disclosure timeline, the contents of the Report may be publicly disclosed by the reporter. Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.\n\n\n# Rewards \nOur rewards are generally based on the following formula: `12.93 * e ^ (0.695 * CVSS_Score)`\n\nCVSS score will be based upon impact to TikTok applications and CVSS Calculator 3.0. Below are some examples of qualifying vulnerabilities.\n\n|     Severity    | CVSS Range         | Example         |  \n|----------                |------------                |--------                |\n| Critical | 9.0 - 10.0  | RCE in the TikTok app context as well as on the internal server. Scalable (no user-interaction) sensitive information disclosure.   |               \n| High | 7.0 - 8.9  | CSRF, SSRF, XSS, access control flaw, leaked credential, cryptographic flaw, etc. with significant consequences (e.g. account takeover). The exploit may require user interaction (e.g., malicious link affects any user that clicks it).   | \n| Medium | 4.0 - 6.9  | CSRF, SSRF, XSS, access control flaw, leaked credential, cryptographic flaw, etc. with non-trivial consequences (e.g. deleting a comment). The exploit may require non-trivial user interaction (e.g., user needs to be on the same network as attacker).   | \n| Low |  0.1 - 3.9  | Lower severity bugs are usually bugs that would require unlikely circumstances to be able to be exploited, or where a successful exploit would give minimal consequences.   |\n\nThe criteria used to determine reward payout and eligibility are solely in our discretion.\n\n#Not Eligible for Reward\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n**Out of scope vulnerabilities**\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS) or a violation of the privacy of any user, employee or contractor of TikTok or any of its affiliates or business partners\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing Referrer Policy\n* Missing Sub-Resource Integrity directives\n* Missing anti-clickjacking mechanisms\n* Missing HttpOnly, Secure, SameSite cookie attributes\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Vulnerabilities that are already known (e.g. discovered by an internal team)\n\n# Good Faith Guidelines\nTo encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.\n\nTo the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.\n\nIf your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.\n\nYou must, as always, comply with all laws applicable to you, and not to disrupt or compromise any data beyond what our bug bounty program permits.\n\nContact us before engaging in conduct that may be inconsistent with, or unaddressed by, this policy. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith. Be proactive in contacting us before engaging in any action that may violate this policy or good faith.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-12T16:05:27.243Z"}]