To expand its community of researchers and recruit global talent, Tencent is partnering HackerOne to run its Bug Bounty Program.

Please note that the program will be externally hosted on the Tencent Security Response Centre (TSRC) and Tencent will only be accepting report submissions through the TSRC platform. Rewards offered on TSRC are entirely driven and decided by Tencent.

If you believe you have discovered a vulnerability, kindly disclose to Tencent responsibly and we’ll work with you to ensure we remediate the issue to the best of our ability. We look forward to working with the community to find vulnerabilities in order to keep our businesses and customers safe.

Submitting Vulnerability Reports

1. Before reporting a vulnerability, please ensure you read our TSRC Bug Bounty Program policy page which details the following:

   • Rules of Engagement

   • Rewards Structure and Evaluation Criteria

   • In-Scope and Out-of-Scope Assets

   • Out-of-Scope Vulnerabilities

2. Click here to report a vulnerability on TSRC and provide details of your finding.

   • You don’t need to sign in/have an account to report and can easily log into TSRC with your twitter/Facebook/Google+ account.

   • You must fill out your profile on TSRC website and provide Tencent the necessary information, especially your HackerOne username and the email that is tied to it.

Report Validation

1. We will review your report on TSRC within 1-3 working days

2. If your report is valid, we will set it as “Triaged” and inform you of next steps.

Bounty Payouts and Hacker Reputation Points

1. Bounty payouts for eligible reports will be done through HackerOne. Researchers will require a HackerOne account to receive the bounty.

2. Researchers will be requested to provide Tencent the necessary information such as email and HackerOne ID when creating a profile on TSRC.

3. Researchers with existing HackerOne account: Researchers must provide the email that is tied to their existing HackerOne username

   • Researchers will receive a notification from HackerOne to claim a bounty

4. Researchers without an existing HackerOne account: Researchers must provide an email address which will be used to claim the bounty on HackerOne.

Note that upon the bounty payout, you will continue to receive your HackerOne reputation points (+7 points per report, and additional points based on the severity) and updates to your stats.

You may find more information and instructions about bounty payouts here.

Contacting Tencent

For any questions or clarifications, you may contact the Tencent Security Team at security@tencent.com.

Other links:

• Tencent Security Response Centre

• Tencent Security on Twitter