Skip to main content
All CollectionsTryHackMe for UsersCommunity
The Bug Bounty Program
The Bug Bounty Program

Responsibly discovering & disclosing security flaws.

Bubbles avatar
Written by Bubbles
Updated over 3 weeks ago

Responsible Disclosure

TryHackMe values the responsible discovery and disclosure of security vulnerabilities. We review all reports on a case-by-case basis and encourage researchers to follow the guidelines outlined below to ensure their submission qualifies.

Scope

Bug reports should focus on vulnerabilities within:

  • *.tryhackme.com

Out-of-Scope Vulnerabilities

The following vulnerabilities are not eligible for rewards:

  • Social engineering attacks

  • Attacks against TryHackMe’s infrastructure

  • Content spoofing and text injection (unless it allows modification of HTML/CSS)

  • Clickjacking or Cross-Site Request Forgery (CSRF)

  • Lack of security headers (e.g., HTTPOnly flags, CSP, etc.)

  • Open redirects (unless they present a significant security risk)

  • Denial of Service (DoS) or any activity disrupting TryHackMe’s services

  • Rate limiting or brute force issues on non-authentication endpoints

  • Bugs that do not impact TryHackMe’s functionality for users or public-facing services

Bug Reporting Rules

These guidelines serve as best practices for responsible disclosure. Following them does not guarantee acceptance of a report, and policies may change over time.

  • Adhere to TryHackMe’s Terms and Conditions at all times

  • Do not use mass or automated scanning tools. Such tools will be blocked by Cloudflare and may lead to disqualification

  • Do not disrupt or attack other users. If required, create a separate test profile for proof of concept, but do not interfere with other users’ experiences or instances they have deployed

  • Do not exploit discovered vulnerabilities. For example, using a bug to unfairly gain leaderboard points is strictly prohibited

  • Do not publicly discuss or disclose the vulnerability outside of TryHackMe’s official reporting process

How to Report a Bug

If you believe you have discovered a security vulnerability, please submit a report by emailing [email protected] with the following details:

  1. Type of vulnerability

  2. Detailed steps to reproduce the issue (video, screenshots)

  3. Scope of the affected system(s)

  4. Your TryHackMe username

Every report is reviewed individually, and eligibility is determined based on severity and impact. Once a report is marked as valid, it is moved to an internal review process. The time required for a response may vary, and it can take a while before you receive an update, as the team carefully evaluates each case.

Potential Rewards

TryHackMe appreciates responsible disclosures and may offer rewards for valid reports. These are determined on a case-by-case basis and may include:

  • Monetary rewards

  • Bug Hunter Title (awarded after three valid reports)

  • Vouchers

We appreciate your efforts in helping keep TryHackMe secure.

Thank you for your contributions!

TryHackMe

Did this answer your question?