TikTok's mission is to inspire creativity and bring joy. The security and
health of our platform closely ties to this mission. Our dedicated security
team is ready to respond and resolve issues on our platform.
We rely on and value external input that flags technical security issues on our platform. This policy outlines how we work with outside parties to submit these issues. Thank you for helping make TikTok a safer place for all!
By participating in the program, you agree that you are bound by and subject to this policy. By submitting a vulnerability or other report to us, you grant to us, our subsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to all intellectual property rights licensable by you in or related to the use of this material. You agree that no third party rights are involved in your report and you have all rights to submit such a report. We may modify the terms of this policy or terminate the policy at any time.
If you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors, we, in our sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.
TikTok strives to meet the following response targets for participants in the program (in US business days):
Depending on the complexity of the report and our current report flow, we may take longer to respond. We’ll try to keep you informed about our progress throughout the process.
Example: Do not generate millions of fraudulent "likes" for your own videos
If you encounter TikTok user information during research, stop there and report immediately to our Bug Bounty team
Certain TikTok assets may be of higher impact and vulnerabilities will be evaluated based on impact to TikTok systems.
We currently consider the following assets to be of greater interest:
We want participants to be recognized publicly for their contributions, if that is the participant’s desire. We will seek to allow participants to be publicly recognized whenever possible. However, public disclosure of vulnerabilities will only be authorized at the express written consent of TikTok. If 180 days have elapsed with the TikTok Team not providing a vulnerability disclosure timeline, the contents of the Report may be publicly disclosed by the reporter. Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted.
Our rewards are generally based on the following formula:
12.93 * e ^ (0.695
CVSS score will be based upon impact to TikTok applications and CVSS Calculator 3.0. Below are some examples of qualifying vulnerabilities.
Severity | CVSS Range | Example
Critical | 9.0 - 10.0 | RCE in the TikTok app context as well as on the internal server. Scalable (no user-interaction) sensitive information disclosure.
High | 7.0 - 8.9 | CSRF, SSRF, XSS, access control flaw, leaked credential, cryptographic flaw, etc. with significant consequences (e.g. account takeover). The exploit may require user interaction (e.g., malicious link affects any user that clicks it).
Medium | 4.0 - 6.9 | CSRF, SSRF, XSS, access control flaw, leaked credential, cryptographic flaw, etc. with non-trivial consequences (e.g. deleting a comment). The exploit may require non-trivial user interaction (e.g., user needs to be on the same network as attacker).
Low | 0.1 - 3.9 | Lower severity bugs are usually bugs that would require unlikely circumstances to be able to be exploited, or where a successful exploit would give minimal consequences.
The criteria used to determine reward payout and eligibility are solely in our discretion.
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
Out of scope vulnerabilities
To encourage good faith research and responsible disclosure of security vulnerabilities, we will not threaten or bring legal action against what we determine to be accidental or good faith violation of this policy. This includes claims under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.
To the extent your security research activities are inconsistent with certain restrictions in our relevant site policies but are consistent with the terms of our bug bounty program, we may waive those restrictions for the sole and limited purpose of permitting good faith security research under this bug bounty program.
If your security research involves the networks, systems, information, applications, products, or services of a third party, including any TikTok users, we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot, and do not, authorize security research in the name of other entities or individuals, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.
You must, as always, comply with all laws applicable to you, and not to disrupt or compromise any data beyond what our bug bounty program permits.
Contact us before engaging in conduct that may be inconsistent with, or unaddressed by, this policy. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith. Be proactive in contacting us before engaging in any action that may violate this policy or good faith.
|Scope Type||Scope Name|
This policy crawled by Onyphe on the 2020-10-12 is sorted as bounty.