TryHackMe both encourages and rewards responsible security bug discovering and disclosing. Whilst we review every report on a case-by-case basis, we ask for you to follow a few rules to ensure your bug qualifies.
Scope:
Out-of-Scope Vulnerabilities:
- Social engineering attacks
- Attacks against our infrastructure
- Content spoofing and text injection issues without being able to modify HTML/CSS
- Clickjacking or Cross-Site Request Forgery (CSRF)
- Lack of security headers, httponly flags, etc
- Open redirect - unless an additional security impact can be demonstrated
- Any activity that could lead to the disruption of our service (DoS)
- Rate limiting or bruteforce issues on non-authentication endpoints
- Anything that affects TryHackMe's functionality to other users or that is public facing.
Rules:
Please note that these are subject to change at any time, and should act as guidance. Disclosed issues may still be rejected even if it adheres to the below.
- Adhere to the TryHackMe Terms and Conditions at all times.
- No mass-or-automated scanning tools. These will quickly be blocked by Cloudflare at the very least.
- Do not affect or attack other users. You can create another profile as a proof of concept, but do not affect other user's experience of TryHackMe, including any instances deployed by them.
- Do not abuse the bug you have discovered. For example, abusing a way to gain more points which places you first place on the Monthly leaderboard.
- Do not discuss the bug outside of the disclosure process to TryHackMe
I think I've found a Bug!
We'd love to hear about it. Again, every report is reviewed on a case-by-case basis. Please email [email protected] including the following details:
- Type of vulnerability
- Detailed steps to reproduce
- Scope of what is affected by the vulnerability
- Your TryHackMe username
Potential Rewards:
TryHackMe rewards valid and responsibly disclosed bugs through a variety of means, again, on a case-by-case basis including:
- Monetary
- Bug Hunter Title (awarded after 3 valid bugs have been found)
- VIP Vouchers