The front page of the internet — a community-driven platform with 100K+ active communities discussing every topic imaginable.
https://reddit.comMax Reward
$20,000
Total Paid
$2,400,000
Resolved
345
Avg Response
3 days
In-Scope Assets
reddit.com
Web platform, posts, comments, and moderation
Reddit API
REST API and OAuth2
Reddit Mobile
iOS and Android applications
Reddit Chat
Real-time messaging system
Out of Scope
- ✕ Third-party Reddit clients
- ✕ Subreddit CSS/styling
- ✕ Reddit Ads content
Severity Levels & Rewards
RCE, authentication bypass, privilege escalation, fund extraction
Stored XSS, CSRF with impact, API abuse, data manipulation
Reflected XSS, data leakage, logic flaws, information disclosure
Verbose errors, minor config issues, low-impact info disclosure
Active Bounties (2)
| ID | Title | Severity | Status | Reward | Submissions |
|---|---|---|---|---|---|
| RED-001 | Account takeover via password reset token prediction | Critical | In Review | $10,000–$20,000 | 2 |
| RED-002 | Stored XSS in subreddit custom CSS parser | High | Open | $3,000–$8,000 | 0 |
Rules of Engagement
• Do not access, modify, or delete data belonging to other users.
• Do not perform denial-of-service attacks or automated scanning at high volume.
• Report vulnerabilities promptly and provide sufficient detail to reproduce.
• Allow reasonable time for fix before public disclosure (90 days).
• Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.