4chan

4chan Vulnerability Disclosure Program

These Program Rules provide our guidelines for reporting vulnerabilities to 4chan.

If you believe you have identified a security vulnerability that could impact 4chan or its users, we ask you notify us right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We request you follow our Vulnerability Disclosure Program Rules and HackerOne's Vulnerability Disclosure Guidelines and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research. And in keeping with 4chan's principles, feel free to submit your report using a pseudonym.

Note: This program is meant for vulnerabilities and security-related bugs. If you have a general bug report or site feedback, please submit it on our Feedback page.

Scope

Websites and services operated by 4chan, which include:

  • *.4chan.org
  • *.4cdn.org

Please do not submit:

  • Vulnerabilities reported by automated vulnerability scanning tools, unless you have a working proof-­of-­concept or reason to believe that this issue is exploitable. Many issues reported by these tools are low-hanging fruit and do not have a clear security implication for 4chan.
  • Vulnerabilities that rely on social engineering to be exploitable.
  • Clickjacking (X-Frame-Options), HSTS (Strict-Transport-Security), Internet Explorer specific headers (X-Content-Type and X-XSS-Protection), and HttpOnly cookie reports. We already set these headers where we feel appropriate.

Scope is limited strictly to software and hardware vulnerabilities—not people. As such, 4chan users, volunteers (janitors, moderators, etc), customers (4chan Pass users, advertisers, etc), and employees are entirely out of scope of this program.

Third-party software and services that we use, such as nginx and CloudFlare, should be reported to the appropriate parties and are not eligible for a reward from us. We'd appreciate a head's up and will credit you on our Thanks page though!

Eligibility & Disclosure

In order for your submission to be eligible:

  • You must agree to all of our Vulnerability Disclosure Program Rules (this entire page).
  • You must follow HackerOne's Vulnerability Disclosure Guidelines.
  • You must be the first person to responsibly disclose an unknown issue to us.
  • You must immediately report any vulnerability that allows access to personally identifiable information (PII), not copy or disseminate any PII obtained, and destroy any and all PII in your possession.
  • Please consolidate similar vulnerabilities across multiple files/domains into one report. Multiple reports of what is essentially the same vulnerability will be discarded and treated as one report.
  • All legitimate reports will be reviewed and assessed by 4chan's developer team to determine eligibility.
  • As mentioned in our Rules, 4chan's website and services are not intended for, or designed to attract, individuals under the age of 18. Reporters under the age of 18 will not be eligible to receive rewards.

Rewards

For each eligible vulnerability report, the reporter will receive:

Exclusions

The following conditions are out of scope for our vulnerability disclosure program:

  • Physical attacks against 4chan users, volunteers, customers, employees, offices, and data centers.
  • Social engineering of 4chan users, volunteers, customers, employees, or service providers.
  • Knowingly posting, transmitting, uploading, linking to, or sending any malware.
  • Pursuing vulnerabilities which send unsolicited bulk or unauthorized messages (spam), and/or denial of service (DoS) attacks.
  • Any vulnerability obtained through the compromise of a 4chan user, volunteer, customer, or employee account. If your vulnerability allows you to compromise one of these accounts, please report it to us immediately and do not press further without written permission.

Submissions & Questions?

Send us an e-mail at security@4chan.org.

Thanks to...

  • atom
  • evanricafort0x003
  • ng1
  • rahulpratap
  • reactors08
  • tweetketan
  • shubham
  • ajaysinghnegi
  • petyalevkin
  • pranav
  • adrianbelen
  • fuzzbaba
  • gopinath6
  • prayas
  • simon90
  • xss
  • hectorsschmector
  • RyotaK