Skip to main content

The Bug Bounty Program

Responsibly discovering & disclosing security flaws.

Blackout avatar
Written by Blackout
Updated this week

Responsible Disclosure

TryHackMe values the responsible discovery and disclosure of security vulnerabilities. We encourage ethical security research and review all reports on a case-by-case basis. Researchers should follow the guidelines below to ensure their submission qualifies.

Scope

We divided our scope into Eligible Assets and Ineligible Assets to help researchers focus on areas that are meaningful and safe to test.

Eligible Assets:

Asset

Description

*.tryhackme.com

Core platform including the main web application, user dashboards, rooms, and labs.

*.tryhackme.tech

Third-party services and integrations supporting the platform.

Ineligible Assets:

Asset

Reason

*.thmdev.com

Internal development and staging environments not publicly accessible.

resources.tryhackme.com

Hosts static content such as PDFs, images, and documentation.

store.tryhackme.com

E-commerce site powered by Shopify, hosted separately.

help.tryhackme.com

Public knowledge base hosted on Intercom.

careers.tryhackme.com

Recruiting page hosted on TeamTailor.

Out-of-Scope Vulnerabilities

The following types of findings are considered out-of-scope and are not eligible for rewards:

  • Social engineering attacks

  • Attacks targeting TryHackMe’s infrastructure

  • Content spoofing or text injection (unless it allows modification of HTML/CSS)

  • Clickjacking or Cross-Site Request Forgery (CSRF)

  • Lack of security headers (e.g., CSP, HTTPOnly, HSTS, DMARC, etc.)

  • Open redirects (unless they present a significant security risk)

  • Denial of Service (DDoS) or service disruption attempts

  • Rate limiting or brute-force issues on non-authentication endpoints

  • Bugs that do not impact the functionality of core platform features

Bug Reporting Rules

Researchers should follow these best practices when reporting vulnerabilities:

  • Adhere to TryHackMe’s Terms and Conditions

  • Do not use automated or mass scanning tools - these will be blocked and disqualified

  • Do not disrupt or affect other users

  • Do not exploit vulnerabilities beyond minimal proof of concept

  • Create a separate test account if needed

  • Do not publicly disclose vulnerability details outside of TryHackMe’s official reporting process

  • Reports must be submitted to [email protected]

Duplicate Reports

We receive a high number of submissions, and many are duplicates of known or already-reported issues. We understand this can be frustrating - especially when time has been invested - but only the first valid report of an issue will qualify for a reward.

If your report is a duplicate, we’ll still review it and aim to acknowledge your effort with transparency and appreciation.


How to Report a Bug

To report a security vulnerability, email [email protected] with the following information:

  • Type of vulnerability

  • Detailed steps to reproduce the issue (include screenshots or video)

  • Scope of the affected system or domain

  • Impact

Each report is reviewed individually. Reports that are valid and impactful will move into internal review and remediation.

Potential Rewards

TryHackMe may offer rewards for valid reports based on severity, exploitability, and report quality.

Reward determination factors include:

  • Technical severity (e.g., CVSS 3.1)

  • Exploit complexity and required user interaction

  • Impact on users, data, or infrastructure

  • Clarity, reproducibility, and report quality

Reward Tiers (USD)

Severity Level

Reward Range (USD)

Critical

$500 – $1000+

High

$250 – $500

Medium

$100 – $250

Low

$50 – $100

  • We aim to triage critical reports rapidly and address valid vulnerabilities as a priority. Timelines are based on severity and impact

  • Rewards are issued only after a report has been triaged, validated, and confirmed as in scope. Please remember that sharing vulnerability details outside of the official reporting process is strictly prohibited.

Recognition and Community Appreciation

TryHackMe values the contributions of security researchers who help improve our platform. Researchers who submit three or more valid reports (excluding Low severity) will earn the Bug Hunter title - a mark of appreciation and recognition within our community.

Thank You

We appreciate your time, skill, and dedication to responsible security research. Your contributions directly help keep the TryHackMe platform and its users safe.

TryHackMe

Did this answer your question?