Discord Security Bug Bounty

At Discord, we take privacy and security very seriously. As such, we encourage everyone to participate in our open bug bounty program, which incentivizes researchers and hackers alike to responsibly find, disclose, and help us resolve security vulnerabilities. As with many bug bounties out there, Discord has a fairly straightforward and simple set of rules that help protect both us and those looking to disclose. Thanks for participating and happy bug hunting!

How we approach security issues

• Discord will not take legal action against users for disclosing vulnerabilities as instructed here.
• Vulnerability reports will always be responded to as fast as possible—usually within 24 hours.
• We will provide a full write-up of steps we've taken to resolve any issues you reported.
• Based on the validity, severity, and scope of each issue, we'll reward you with awesome shtuff (or just cold, hard cash if you prefer).

Bounty Rules

• Only use and test on accounts and servers you directly own. Testing should never affect other users.
• Don't perform any actions that could harm the reliability or integrity of our services and data. Some examples of harmful activities that are not permitted under this bounty include: brute forcing, denial of service (DoS), spamming, timing attacks, etc. These types of attacks will result in an IP ban.
• No information about issues found should be publicly disclosed or shared until we've completed our investigation and resolution. After confirmation, you are free to document and publish any information about the issues you've found.
• Testing should be limited to sites and services that Discord directly operates. We will not accept reports for third-party services or providers that integrate with Discord through our APIs.
• Don't use scanners or automated tools to find vulnerabilities.
• Social engineering, phishing, or physical attacks are not permitted under the program.
• If you ever have questions or want clarification on these rules, please email us at security@discordapp.com

Known Out of Scope Reports

• Account/E-mail enumeration
• Brute force attacks
• Clickjacking
• Content spoofing and text injection
• CSRF vulnerabilities
• Denial of Service attacks
• Email SPF and DMARC records
• Invite enumeration
• Missing secure cookie flags
• Open CORS headers
• Publicly accessible login panels
• Reports from scanners and automated tools
• Reports on the subdomains blog.discordapp.com, feedback.discordapp.com, merch.discordapp.com, status.discordapp.com, and support.discordapp.com
• Self-exploitation (like token reuse)
• Social engineering or phishing attacks targeting users or staff