TryHackMe

TryHackMe both encourages and rewards responsible security bug discovering and disclosing. While we review every case-by-case report basis, we ask you to follow a few rules to ensure your bug qualifies.

Content spoofing and text injection issues without being able to modify HTML/CSS

Clickjacking or Cross-Site Request Forgery (CSRF) 

Lack of security headers, httponly flags, etc

Open redirect - unless you can demonstrate an additional security impact

Any activity that could lead to the disruption of our service (DoS)

Rate limiting or brute force issues on non-authentication endpoints

Anything that affects TryHackMe's functionality to other users or is public-facing.

- Social engineering attacks
- Attacks against our infrastructure
- Content spoofing and text injection issues without being able to modify HTML/CSS
- Clickjacking or Cross-Site Request Forgery (CSRF) 
- Lack of security headers, httponly flags, etc
- Open redirect - unless you can demonstrate an additional security impact
- Any activity that could lead to the disruption of our service (DoS)
- Rate limiting or brute force issues on non-authentication endpoints
- Anything that affects TryHackMe's functionality to other users or is public-facing.

Please note that these are subject to change at any time and should act as guidance. Disclosed issues may still be rejected even if it adheres to the below.

Adhere to the <a href="https://tryhackme.com/legal/terms-of-use" rel="nofollow noopener noreferrer" target="_blank">TryHackMe Terms and Conditions</a> at all times.

No mass-or-automated scanning tools. These will quickly be blocked by Cloudflare, at the very least.

Do not affect or attack other users. You can create another profile as a proof of concept, but do not affect other users' experience of TryHackMe, including any instances deployed by them.

Do not abuse the bug you have discovered. For example, using a way to gain more points places you first place on the Monthly leaderboard.

Do not discuss the bug outside of the disclosure process with TryHackMe.

1. Adhere to the <a href="https://tryhackme.com/legal/terms-of-use" rel="nofollow noopener noreferrer" target="_blank">TryHackMe Terms and Conditions</a> at all times.
2. No mass-or-automated scanning tools. These will quickly be blocked by Cloudflare, at the very least.
3. Do not affect or attack other users. You can create another profile as a proof of concept, but do not affect other users' experience of TryHackMe, including any instances deployed by them.
4. Do not abuse the bug you have discovered. For example, using a way to gain more points places you first place on the Monthly leaderboard.
5. Do not discuss the bug outside of the disclosure process with TryHackMe.

We'd love to hear about it. Again, every report is reviewed on a case-by-case basis. Please email <a href="mailto:support@tryhackme.com" rel="nofollow noopener noreferrer" target="_blank">support@tryhackme.com</a>, including the following details:

Scope of what is affected by the vulnerability

- Type of vulnerability 
- Detailed steps to reproduce
- Scope of what is affected by the vulnerability
- Your TryHackMe username

TryHackMe rewards valid and responsibly disclosed bugs through a variety of means, again, on a case-by-case basis, including:

Bug Hunter Title (awarded after 3 valid bugs have been found)

- Monetary
- Bug Hunter Title (awarded after 3 valid bugs have been found)
- VIP Vouchers

Scope:

Out-of-scope vulnerabilities:

Rules:

I think I've found a bug!

Potential rewards: