StarsLarge TreesSmall TreesLarge TreesSmall TreesLarge TreesSmall TreesLarge TreesSmall TreesSmall BugMedium BugSmall Trees
Discord Security Logo

Discord Security Bug Bounty

At Discord, we take privacy and security very seriously. As such, we encourage everyone to participate in our open bug bounty program, which incentivizes researchers and hackers alike to responsibly find, disclose, and help us resolve security vulnerabilities. As with many bug bounties out there, Discord has a fairly straightforward and simple set of rules that help protect both us and those looking to disclose. Thanks for participating and happy bug hunting!

How we approach security issues

  • Discord will not take legal action against users for disclosing vulnerabilities as instructed here.
  • Vulnerability reports will always be responded to as fast as possible—usually within 24 hours.
  • Based on the validity, severity, and scope of each issue, we'll reward you with awesome shtuff (or just cold, hard cash if you prefer).

Program Rules

  • Only use and test on accounts and servers you directly own. Testing should never affect other users.
  • Testing should be limited to sites and services that Discord directly operates. We will not accept reports for third-party services or providers that integrate with Discord through our APIs.
  • Don't perform any actions that could harm the reliability or integrity of our services and data. Some examples of harmful activities that are not permitted under this bounty include: brute forcing, denial of service (DoS), spamming, timing attacks, etc.
  • Don't use scanners or automated tools to find vulnerabilities.
  • If a specific class of vulnerability crops up regularly, we may temporarily mark it Out of Scope while we look to make a solution internally before re-allowing that issue. In these cases, we will update the policy and communicate the change to all current researchers along with a rough expected timeline. Once the internal solution is in place, we will update the policy and communicate the re-allowance.
  • No information about issues found should be publicly disclosed or shared until we've completed our investigation and resolution. After confirmation, you are free to document and publish any information about the issues you've found in accordance with HackerOne's disclosure guidelines.

Out of Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are generally considered out of scope (not an exhaustive list):

  • Account/E-mail enumeration
  • Any endpoint which allows you to determine the validity of an ID for a resource or relation between resources without revealing any sensitive information related to that resource (i.e. ID Oracles)
  • Attacks requiring MITM or physical access to a user's device
  • AutoMod bypasses
  • Brute force attacks
  • Clickjacking
  • Content spoofing and text injection
  • CSRF vulnerabilities
  • Denial of Service attacks where the outcome is resource exhaustion
  • Email SPF, DKIM, and DMARC records
  • Family Center audit log integrity
  • Invite enumeration
  • Missing HttpOnly/Secure cookie flags
  • NSFW gating
  • Open CORS headers
  • Publicly accessible login panels
  • Rate limiting (temporarily)
  • Reports from scanners and automated tools
  • Reports on the subdomains blog.discord.com, feedback.discord.com, merch.discordapp.com, status.discord.com, andsupport.discord.com - including redirects
  • Self-exploitation (like token reuse and console scripting)
  • Social engineering or phishing attacks targeting users or staff

Temporarily Out of Scope Vulnerabilities

  • Information disclosure for public content in publicly discoverable guilds where the user accessing the content is banned
    • For example, if banned users were able to view recent messages in public channels for publicly discoverable guilds

Special Vulnerabilities

Third Party Promotional or Marketing Campaigns

Third-party providers and partners are not in scope. Submissions against third-party promotional or marketing campaigns will not be accepted. Reports with a specific campaign that fail to demonstrate significant security impact or financial harm to Discord are not accepted. Reports against Discord features and APIs are generally in scope. Example out of scope issues:

  • Changing the name of a screen share to qualify for stream time on a promotional in game item
  • Exploiting issues in a third-party provider's registration flow to redeem rewards

Activities Within the Discord Client

Activities served by the Discord client may be first or third party services. The following list of first party Activities are in scope as part of the Discord platform:

  • Blazing 8s
  • Bobble League
  • Bobble Bash
  • Checkers in the Park
  • Chess in the Park
  • Know What I Meme
  • Land-io
  • Letter League
  • Poker Night
  • Putt Party
  • Sketch Heads
  • Watch Together
  • Whiteboard

Any Activity not explicitly defined above is out of scope for this bug bounty program. Additionally the following are out of scope:

  • Any third party providers or partners proxied by the discordsays.com domain
  • Any IP address leaks in the context of Activities

We consider any situation in which a malicious user could steal tokens or credentials belonging to another user without the use of social engineering in the context of an Activity to be in scope for this program.

Race Conditions

Any vulnerability report which relies on winning a race condition has additional program requirements for its submission to be accepted.

Any report involving a race condition must include one of the following:

  • A script which can consistently reproduce the race condition
    • We prefer Python or Javascript as scripting language choices, but any reasonable scripting language will be accepted so long as we can understand the network requirements to reproduce the finding
  • A detailed explanation of how the network layer must be set up to reproduce the finding
    • This must include the full HTTP methods and routes in question
    • This must include a description of how the requests are being sequenced
    • If the race condition depends on the ordering of the requests that must also be specified in the description

We will not accept reports which depend on particular Burp Suite configurations. Reports must stand on their own with either a script or a detailed description which can be used to reproduce the race condition being represented.

We strongly suggest providing a script for any report involving a race condition to ensure that your report has the appropriate information to reproduce it and can be quickly reviewed by our team.

Quests

We are not interested in client manipulation, scripts, or other methods which allow individual actors to complete a quest. Quests are currently client authoritative by design and we anticipate that there are many ways in which bad actors can game the progression or completion of quests for individual accounts.

We are interested in any exploit which allows a malicious actor to claim quest rewards at scale, like generating multiple third party product keys.

In general the guidelines when submitting a report regarding a Quest feature should be: "Does this allow a malicious actor to recover more than one reward for the quest at scale?" We do not consider running a script on multiple individual accounts as qualifying for this purpose.

Contact us!

Discord operates a bug bounty program in partnership with HackerOne. To join our bug bounty program please send an email with your report to bugbounty@discordapp.com. Please send your full report as the body of your email - do not send an email asking for an invitation. You will receive an email back from HackerOne with further instructions on how to create a HackerOne account and complete your report submission! Please note that the bugbounty@discordapp.com email inbox is unattended - for the security team to review your report you must complete HackerOne registration and finalize your submission on the HackerOne platform.