13220 policies in database
Link to program      
Tencent logo



UPDATE [5 June 2020] - Securing TencentOS: With bounties up to USD$140,000!

Tencent is formally launching a special project that focuses on Tencent’s own server and IoT operating system. This project will last throughout the year and the maximum bounty for a single vulnerability will be up to USD$140,000.

Duration: Starting from 8 June 2020 09:00 (GMT+8) to 31 December 2020 23:59 (GMT+8)

For the specific in-scope assets, rules of engagement, reward amounts and assessment guidelines, please refer to the "Securing TencentOS" Announcement hosted on TSRC . You are to submit your reports to TSRC directly via this link .

Good luck and we look forward to working with you to enhance our security!

To expand its community of researchers and recruit global talent, Tencent

is partnering HackerOne to run its Bug Bounty Program.

Please note that the program will be externally hosted on the Tencent Security Response Centre (TSRC) and Tencent will only be accepting report submissions through the TSRC platform. Rewards offered on TSRC are entirely driven and decided by Tencent.

If you believe you have discovered a vulnerability, kindly disclose to Tencent responsibly and we’ll work with you to ensure we remediate the issue to the best of our ability. We look forward to working with the community to find vulnerabilities in order to keep our businesses and customers safe.

Submitting Vulnerability Reports

  1. Before reporting a vulnerability, please ensure you read our TSRC Bug Bounty Program policy page which details the following:
    • Rules of Engagement
    • Rewards Structure and Evaluation Criteria
    • In-Scope and Out-of-Scope Assets
    • Out-of-Scope Vulnerabilities
  2. Click here to report a vulnerability on TSRC and provide details of your finding.
    • You don’t need to sign in/have an account to report and can easily log into TSRC with your twitter/Facebook/Google+ account.
    • You must fill out your profile on TSRC website and provide Tencent the necessary information, especially your HackerOne username and the email that is tied to it.

Report Validation

  1. We will review your report on TSRC within 1-3 working days
  2. If your report is valid, we will set it as “Triaged” and inform you of next steps.

Bounty Payouts and Hacker Reputation Points

  1. Bounty payouts for eligible reports will be done through HackerOne. Researchers will require a HackerOne account to receive the bounty.
  2. Researchers will be requested to provide Tencent the necessary information such as email and HackerOne ID when creating a profile on TSRC.
  3. Researchers with existing HackerOne account: Researchers must provide the email that is tied to their existing HackerOne username
    • Researchers will receive a notification from HackerOne to claim a bounty
  4. Researchers without an existing HackerOne account: Researchers must provide an email address which will be used to claim the bounty on HackerOne.

Note that upon the bounty payout, you will continue to receive your

HackerOne reputation points (+7 points per report, and additional points based on the severity) and updates to your stats.

You may find more information and instructions about bounty payouts here .

Contacting Tencent

For any questions or clarifications, you may contact the Tencent Security Team at security@tencent.com.

Other links:

This program have been found on Hackerone on 2020-07-21.

FireBounty © 2015-2021

Legal notices