TryHackMe Knowledge

Go to TryHackMe

The Bug Bounty Programme

Responsibly discovering & disclosing security flaws!

Written By TryHackMe Staff ()

Updated at September 9th, 2020

TryHackMe both encourages and rewards responsible security bug discovering and disclosing. Whilst we review every report on a case-by-case basis, we ask for you to follow a few rules to ensure your bug qualifies.


Scope:

*.tryhackme.com


Out-of-Scope Vulnerabilities:

  • Social engineering attacks
  • Attacks against our infrastructure
  • Content spoofing and text injection issues without being able to modify HTML/CSS
  • Clickjacking or Cross-Site Request Forgery (CSRF) 
  • Lack of security headers, httponly flags, etc
  • Open redirect - unless an additional security impact can be demonstrated
  • Any activity that could lead to the disruption of our service (DoS)
  • Rate limiting or bruteforce issues on non-authentication endpoints
  • Anything that affects TryHackMe's functionality to other users or that is public facing.


Rules:

Please note that these are subject to change at any time, and should act as guidance. Disclosed issues may still be rejected even if it adheres to the below.

  1. Adhere to the TryHackMe Terms and Conditions at all times.
  2. No mass-or-automated scanning tools. These will quickly be blocked by Cloudflare at the very least.
  3. Do not affect or attack other users. You can create another profile as a proof of concept, but do not affect other user's experience of TryHackMe, including any instances deployed by them.
  4. Do not abuse the bug you have discovered. For example, abusing a way to gain more points which places you first place on the Monthly leaderboard.
  5. Do not discuss the bug outside of the disclosure process to TryHackMe


I think I've found a Bug!

We'd love to hear about it. Again, every report is reviewed on a case-by-case basis. Please email [email protected] including the following details:

  • Type of vulnerability 
  • Detailed steps to reproduce
  • Scope of what is affected by the vulnerability
  • Your TryHackMe username


Potential Rewards:

TryHackMe rewards valid and responsibly disclosed bugs through a variety of means, again, on a case-by-case basis including:

  • Monetary
  • Bug Hunter Title (awarded after 3 valid bugs have been found)
  • VIP Vouchers


Was this article helpful?

Related Articles

Asking for Help

We've created this handy template to use when asking for help with anything TryHa...

Known Issues With Rooms

The following is a rolling list of confirmed issues with current THM rooms, the w...

Redeeming CompTIA PenTest+ Discount

If you complete the TryHackMe CompTIA PenTest+ learning path, you get a 10% disco...

API Endpoints

Note:  The authenticated endpoints documented here relate specifically to the Try...