BugHunters — Bug Bounty Platform
    Back to Programs
    Reddit

    Reddit

    Social Media

    The front page of the internet — a community-driven platform with 100K+ active communities discussing every topic imaginable.

    https://reddit.com

    Max Reward

    $20,000

    Total Paid

    $2,400,000

    Resolved

    345

    Avg Response

    3 days

    In-Scope Assets

    reddit.com

    Web platform, posts, comments, and moderation

    Reddit API

    REST API and OAuth2

    Reddit Mobile

    iOS and Android applications

    Reddit Chat

    Real-time messaging system

    Out of Scope

    • Third-party Reddit clients
    • Subreddit CSS/styling
    • Reddit Ads content

    Severity Levels & Rewards

    Critical

    RCE, authentication bypass, privilege escalation, fund extraction

    High

    Stored XSS, CSRF with impact, API abuse, data manipulation

    Medium

    Reflected XSS, data leakage, logic flaws, information disclosure

    Low

    Verbose errors, minor config issues, low-impact info disclosure

    Active Bounties (2)

    IDTitleSeverityStatusRewardSubmissions
    RED-001Account takeover via password reset token prediction
    Critical
    In Review
    		$10,000–$20,0002
    RED-002Stored XSS in subreddit custom CSS parser
    High
    Open
    		$3,000–$8,0000

    Rules of Engagement

    • Do not access, modify, or delete data belonging to other users.

    • Do not perform denial-of-service attacks or automated scanning at high volume.

    • Report vulnerabilities promptly and provide sufficient detail to reproduce.

    • Allow reasonable time for fix before public disclosure (90 days).

    • Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.