Skip to main content

Reddit is taking its bug bounty program public

Glasses in front of computer screen
(Image credit: Kevin Ku / Pexels)

Reddit has announced that it will be taking its bug bounty program public after running it privately with HackerOne for the past three years.

In a post on the news aggregator and discussion forum's site, the company's security wizard Spencer Koch provided more details on the success of its bug bounty program so far, saying:

“This program has allowed us to quickly address vulnerabilities, improve our defenses, and help keep our platform secure alongside our own teams’ efforts. We’ve also seen great engagement and success to date, having awarded $140,000 in bounties across 300 reports covering the main reddit.com platform, which worked well for our limited scope during the private program.”

Now though, Reddit plans to expand the scope of the program to help improve the security of its site as well as its mobile apps.

Public bug bounty program

In an interview with HackerOne, Koch explained that Reddit started its security team back in 2018 after formalizing its private bug bounty program. This was also the same year the site was hacked and the personal data of some users was exposed in a data breach.

According to Koch, Reddit's security team performs an initial triage to gauge the severity of a bug after a vulnerability is reported. However, sometimes the company allows HackerOne's triage service to do the initial screening, reproduction information gathering and sanity check before its senior security engineers take a look at a bug.

Now that Reddit's bug bounty program is open to the public, any security researcher or white hat hacker can look for bugs on the platform. Once a bug is found, they can earn $100 for low severity bugs, $500 for medium ones, $5,000 for high ones and $10,000 for discovering a critical vulnerability. 

Those interested in hunting for bugs on Reddit can find out more information on its bug bounty program here including the program terms, severity determination and what vulnerabilities are out-of-scope for the program.

Via SC Magazine