BugHunters — Bug Bounty Platform
    Back to Programs
    Discord

    Discord

    Social Media

    Communication platform for communities with voice, video, and text chat, serving 200M+ monthly active users globally.

    https://discord.com

    Max Reward

    $20,000

    Total Paid

    $3,600,000

    Resolved

    456

    Avg Response

    2 days

    In-Scope Assets

    discord.com

    Web client, authentication, and settings

    Discord API

    Bot API, OAuth2, and gateway WebSocket

    Discord Desktop

    Electron-based desktop application

    Discord Mobile

    iOS and Android applications

    Out of Scope

    • Third-party bots
    • Server owner configurations
    • User-generated content

    Severity Levels & Rewards

    Critical

    RCE, authentication bypass, privilege escalation, fund extraction

    High

    Stored XSS, CSRF with impact, API abuse, data manipulation

    Medium

    Reflected XSS, data leakage, logic flaws, information disclosure

    Low

    Verbose errors, minor config issues, low-impact info disclosure

    Active Bounties (2)

    IDTitleSeverityStatusRewardSubmissions
    DSC-001Remote code execution via crafted embed in desktop client
    Critical
    Open
    		$10,000–$20,0000
    DSC-002OAuth2 token theft via open redirect in authorization flow
    High
    In Review
    		$3,000–$8,0001

    Rules of Engagement

    • Do not access, modify, or delete data belonging to other users.

    • Do not perform denial-of-service attacks or automated scanning at high volume.

    • Report vulnerabilities promptly and provide sufficient detail to reproduce.

    • Allow reasonable time for fix before public disclosure (90 days).

    • Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.