TryHackMe

TryHackMe values the responsible discovery and disclosure of security vulnerabilities. We review all reports on a case-by-case basis and encourage researchers to follow the guidelines outlined below to ensure their submission qualifies.

Bug reports should focus on vulnerabilities within:

Out-of-Scope Vulnerabilities

The following vulnerabilities are not eligible for rewards:

Attacks against TryHackMe’s infrastructure

Content spoofing and text injection (unless it allows modification of HTML/CSS)

Clickjacking or Cross-Site Request Forgery (CSRF)

Lack of security headers (e.g., HTTPOnly flags, CSP, etc.)

Open redirects (unless they present a significant security risk)

Denial of Service (DoS) or any activity disrupting TryHackMe’s services

Rate limiting or brute force issues on non-authentication endpoints

Bugs that do not impact TryHackMe’s functionality for users or public-facing services

- Social engineering attacks
- Attacks against TryHackMe’s infrastructure
- Content spoofing and text injection (unless it allows modification of HTML/CSS)
- Clickjacking or Cross-Site Request Forgery (CSRF)
- Lack of security headers (e.g., HTTPOnly flags, CSP, etc.)
- Open redirects (unless they present a significant security risk)
- Denial of Service (DoS) or any activity disrupting TryHackMe’s services
- Rate limiting or brute force issues on non-authentication endpoints
- Bugs that do not impact TryHackMe’s functionality for users or public-facing services
   

These guidelines serve as best practices for responsible disclosure. Following them does not guarantee acceptance of a report, and policies may change over time.

Adhere to TryHackMe’s <a href="https://tryhackme.com/legal/terms-of-use" rel="nofollow noopener noreferrer" target="_blank">Terms and Conditions</a> at all times

Do not use mass or automated scanning tools. Such tools will be blocked by Cloudflare and may lead to disqualification

Do not disrupt or attack other users. If required, create a separate test profile for proof of concept, but do not interfere with other users’ experiences or instances they have deployed

Do not exploit discovered vulnerabilities. For example, using a bug to unfairly gain leaderboard points is strictly prohibited

Do not publicly discuss or disclose the vulnerability outside of TryHackMe’s official reporting process

- Adhere to TryHackMe’s <a href="https://tryhackme.com/legal/terms-of-use" rel="nofollow noopener noreferrer" target="_blank">Terms and Conditions</a> at all times
- Do not use mass or automated scanning tools. Such tools will be blocked by Cloudflare and may lead to disqualification
- Do not disrupt or attack other users. If required, create a separate test profile for proof of concept, but do not interfere with other users’ experiences or instances they have deployed
- Do not exploit discovered vulnerabilities. For example, using a bug to unfairly gain leaderboard points is strictly prohibited
- Do not publicly discuss or disclose the vulnerability outside of TryHackMe’s official reporting process

If you believe you have discovered a security vulnerability, please submit a report by emailing <a href="mailto:support@tryhackme.com" rel="nofollow noopener noreferrer" target="_blank">support@tryhackme.com </a>with the following details:

Detailed steps to reproduce the issue (video, screenshots)

1. Type of vulnerability
2. Detailed steps to reproduce the issue (video, screenshots)
3. Scope of the affected system(s)
4. Your TryHackMe username

Every report is reviewed individually, and eligibility is determined based on severity and impact.&nbsp;Once a report is marked as valid, it is moved to an internal review process. The time required for a response may vary, and it can take a while before you receive an update, as the team carefully evaluates each case.

TryHackMe appreciates responsible disclosures and may offer rewards for valid reports. These are determined on a case-by-case basis and may include:

Bug Hunter Title (awarded after three valid reports)

- Monetary rewards
- Bug Hunter Title (awarded after three valid reports)
- Vouchers

We appreciate your efforts in helping keep TryHackMe secure. 

Responsibly discovering & disclosing security flaws.

The Bug Bounty Program

Find answers and get help from Intercom Support and Community Experts

This site uses cookies and similar technologies ("cookies") as strictly necessary for site operation. We and our partners also would like to set additional cookies to enable site performance analytics, functionality, advertising and social media features. See our {cookiePolicyLink} for details. You can change your cookie preferences in our Cookie Settings.

Link, Press control-option-right-arrow to exit

Empty Help Center

Uh oh. That page doesn’t exist.

Disappointed

Neutral

Smiley

Thinking...

Searching through sources...

Analyzing...

Tickets submitted through the messenger or by a support agent in your conversation will appear here.

The Bug Bounty Program

Responsible Disclosure

Scope

Out-of-Scope Vulnerabilities

Bug Reporting Rules

How to Report a Bug

Potential Rewards