Responsible Disclosure
TryHackMe values the responsible discovery and disclosure of security vulnerabilities. We encourage ethical security research and review all reports on a case-by-case basis. Researchers should follow the guidelines below to ensure their submission qualifies.
Scope
We divided our scope into Eligible Assets and Ineligible Assets to help researchers focus on areas that are meaningful and safe to test.
Eligible Assets:
Asset | Description |
| Core platform including the main web application, user dashboards, rooms, and labs. |
| Third-party services and integrations supporting the platform. |
Ineligible Assets:
Asset | Reason |
| Internal development and staging environments not publicly accessible. |
| Hosts static content such as PDFs, images, and documentation. |
| E-commerce site powered by Shopify, hosted separately. |
| Public knowledge base hosted on Intercom. |
| Recruiting page hosted on TeamTailor. |
Out-of-Scope Vulnerabilities
The following types of findings are considered out-of-scope and are not eligible for rewards:
Social engineering attacks
Attacks targeting TryHackMe’s infrastructure
Content spoofing or text injection (unless it allows modification of HTML/CSS)
Clickjacking or Cross-Site Request Forgery (CSRF)
Lack of security headers (e.g., CSP, HTTPOnly, HSTS, DMARC, etc.)
Open redirects (unless they present a significant security risk)
Denial of Service (DDoS) or service disruption attempts
Rate limiting or brute-force issues on non-authentication endpoints
Bugs that do not impact the functionality of core platform features
Bug Reporting Rules
Researchers should follow these best practices when reporting vulnerabilities:
Adhere to TryHackMe’s Terms and Conditions
Do not use automated or mass scanning tools - these will be blocked and disqualified
Do not disrupt or affect other users
Do not exploit vulnerabilities beyond minimal proof of concept
Create a separate test account if needed
Do not publicly disclose vulnerability details outside of TryHackMe’s official reporting process
Reports must be submitted to [email protected]
Duplicate Reports
We receive a high number of submissions, and many are duplicates of known or already-reported issues. We understand this can be frustrating - especially when time has been invested - but only the first valid report of an issue will qualify for a reward.
If your report is a duplicate, we’ll still review it and aim to acknowledge your effort with transparency and appreciation.
How to Report a Bug
To report a security vulnerability, email [email protected] with the following information:
Type of vulnerability
Detailed steps to reproduce the issue (include screenshots or video)
Scope of the affected system or domain
Impact
Each report is reviewed individually. Reports that are valid and impactful will move into internal review and remediation.
Potential Rewards
TryHackMe may offer rewards for valid reports based on severity, exploitability, and report quality.
Reward determination factors include:
Technical severity (e.g., CVSS 3.1)
Exploit complexity and required user interaction
Impact on users, data, or infrastructure
Clarity, reproducibility, and report quality
Reward Tiers (USD)
Severity Level | Reward Range (USD) |
Critical | $500 – $1000+ |
High | $250 – $500 |
Medium | $100 – $250 |
Low | $50 – $100 |
We aim to triage critical reports rapidly and address valid vulnerabilities as a priority. Timelines are based on severity and impact
Rewards are issued only after a report has been triaged, validated, and confirmed as in scope. Please remember that sharing vulnerability details outside of the official reporting process is strictly prohibited.
Recognition and Community Appreciation
TryHackMe values the contributions of security researchers who help improve our platform. Researchers who submit three or more valid reports (excluding Low severity) will earn the Bug Hunter title - a mark of appreciation and recognition within our community.
Thank You
We appreciate your time, skill, and dedication to responsible security research. Your contributions directly help keep the TryHackMe platform and its users safe.
TryHackMe