Reddit takes bug bounty program public

Cyber Security News

Alexis Ohanian, co-founder and executive chairman of Reddit, attends the WORLDZ Cultural Marketing Summit 2017 in Los Angeles. (Jerod Harris/Stringer)

Reddit announced Wednesday that it is taking its bug bounty program public. The popular social news site and community forum platform has run a private program with HackerOne for the past three years, but hopes that by going public, it can more quickly address vulnerabilities, improve its defenses and keep the platform secure.

“We’ve seen great engagement and success to date, having awarded $140,000 in bounties across 300 reports covering the main reddit.com platform, which worked well for our limited scope during the private program,” the company said in a press release. “With our continued growth and visibility, we’re now ready to make the program public and expand participation to anyone wanting to make a meaningful security impact on Reddit.”

Reddit security wizard Spencer Koch said the company has always leveraged the community to help find and fix bugs in the platform; that’s how the company found several of its engineers over the years. Koch said the security team started back in 2018 when Reddit formalized its private bug bounty program. As Reddit grew in size and influence over the years, it scaled the program by expanding its scope, improving bounty payouts, and supporting security researchers with context and insight into how Reddit works.

Spencer said that when a hacker finds a bug, the security team does an initial triage to gauge its severity; otherwise, it will let HackerOne’s triage service do the initial screening, reproduction info gathering and sanity check before one of Reddit’s senior security engineers starts the hunt.

“Our security team is heavily embedded with our engineering teams, so we’re perusing code to find the root cause and proposing possible fixes for our engineering counterparts,” Spencer said. “Enriching our tickets with this data means our tickets are higher quality, and easily reproducible and consumable by our devs, so we all can get to fixing faster.”

Allison Miller, Reddit’s vice president of trust and CISO, added that the company’s security team has already been embedded into feature launches at several key points in the software development lifecycle (SDLC), and they work closely with the platform’s various engineering departments. In the final phase of a feature rollout, the team makes sure it adds the new feature into the bug bounty scope and offers details on how to test it or where to find it.

“A great example of this is when we were alpha testing a new Reddit embed feature,” Miller said. “We notified our researchers about it and got feedback that deleted posts were getting rendered due to some bad logic, which resulted in reality not matching design. Through hacker power, we were able to catch this early before general availability where it would have become a larger issue.”

Interested security researchers can find Reddit’s bug bounty program on HackerOne.