In a post (opens in new tab) on the news aggregator and discussion forum's site, the company's security wizard Spencer Koch provided more details on the success of its bug bounty program so far, saying:
“This program has allowed us to quickly address vulnerabilities, improve our defenses, and help keep our platform secure alongside our own teams’ efforts. We’ve also seen great engagement and success to date, having awarded $140,000 in bounties across 300 reports covering the main reddit.com platform, which worked well for our limited scope during the private program.”
- We've put together a list of the best endpoint protection (opens in new tab) software
- Keep your devices virus free with the best malware removal (opens in new tab) software
- Also check out our roundup of the best ransomware protection (opens in new tab)
Now though, Reddit plans to expand the scope of the program to help improve the security of its site as well as its mobile apps (opens in new tab).
Public bug bounty program
In an interview (opens in new tab) with HackerOne, Koch explained that Reddit started its security team back in 2018 after formalizing its private bug bounty program. This was also the same year the site was hacked (opens in new tab) and the personal data of some users was exposed in a data breach.
According to Koch, Reddit's security team performs an initial triage to gauge the severity of a bug after a vulnerability is reported. However, sometimes the company allows HackerOne's triage service to do the initial screening, reproduction information gathering and sanity check before its senior security engineers take a look at a bug.
Now that Reddit's bug bounty program is open to the public, any security researcher (opens in new tab) or white hat hacker (opens in new tab) can look for bugs on the platform. Once a bug is found, they can earn $100 for low severity bugs, $500 for medium ones, $5,000 for high ones and $10,000 for discovering a critical vulnerability.
Those interested in hunting for bugs on Reddit can find out more information on its bug bounty program here (opens in new tab) including the program terms, severity determination and what vulnerabilities are out-of-scope for the program.
- We've also featured the best antivirus (opens in new tab)
Via SC Magazine (opens in new tab)