At TryHackMe, we support and encourage the ethical pursuit of bug bounties as an essential aspect of cybersecurity practice and learning.
To facilitate discussions related to bug bounties while ensuring they adhere to legal and ethical standards, we have established this policy. This document outlines the acceptable practices for discussing bug bounties within our community and the specific conditions that must be met.
All discussions regarding bug bounties must take place in the designated #bug-bounty channel. This helps keep our community organised and ensures that members who are interested in such topics can find and participate in discussions easily.
Members are encouraged to discuss bug bounty techniques, share educational resources, and offer general advice about participation in bug bounties.
Discussion of specific bug bounty programs is allowed, provided that it does not violate any confidentiality agreements or the terms of the bug bounty program.
Members must respect the responsible disclosure policies. This includes not disclosing or discussing vulnerabilities publicly before the organisation has had a reasonable chance to address them.
If a bug bounty is part of a private program, discussants must ensure that all discussions comply with the confidentiality requirements of the program. Disclosure of private or sensitive information related to such programs without permission is strictly prohibited.
When discussing specific bug bounty programs, especially those that are not publicly known, members may be asked by moderators to provide evidence that their discussion complies with the terms of the involved bug bounty program.
If a member is unable or unwilling to provide sufficient proof of compliance with responsible disclosure or if the discussion potentially compromises the integrity of a private program, moderators will ask that the discussion be halted.
Failure to adhere to these guidelines may result in moderation action, which could include removal of posts or temporary mutes.
In cases where illegal activities are suspected, such as unauthorised disclosure of sensitive information, the matter may be escalated to appropriate legal authorities.