Report Security Vulnerabilities
TikTok's mission is to inspire creativity and bring joy. The security and health of our platform closely tie to this mission. If things aren't working properly on TikTok, our dedicated security team is ready to respond and resolve those issues. In addition to our team of experienced security professionals and industry-leading security technologies, we rely on, and value, external input that flag technical security bugs on our platform. With that in mind, we have defined a set of policies to guide our external partners on properly reporting vulnerabilities. We welcome your input and appreciate your efforts to safeguard TikTok.
Vulnerability Reporting Policy
• For questions, concerns, or issues with your profile, please click here.
• If someone is misusing your brand, contact us.
If you believe you have discovered a security bug or vulnerability on the TikTok app or website, please submit your report here. You will be redirected to the website of HackerOne, our trusted security bug bounty partner. HackerOne provides more information on submission guidelines and will allow you to submit a report.
TikTok follows a Coordinated Disclosure Policy. Please refer to the Disclosure and Confidentiality Policy defined in TikTok HackerOne Policy for more details.
Please visit the Program Rules and Guidelines section in TikTok HackerOne Policy for details.
Frequently Asked Questions (FAQ)
What type of issues are considered security vulnerabilities and should be reported?
Issues regarding technical security bugs affecting TikTok should be reported here. Issues include, but are not limited to the following:
• XSS, CSRF, SSRF , SQL Injection, ROP, JOP, etc.
• Leaked or hard coded sensitive credentials
• Exploitable and dangerous APIs.
• Control flow hijacking attacks
• User data leaks
• Issues listed in the OWASP Top Ten for Web Apps
• Issues listed in the OWASP Top Ten for Mobile Apps
• Authentication or authorization vulnerabilities
• Access to internal TikTok resources like backend source code, database, etc.
• Open redirect - if an additional security impact can be demonstrated
• Anti-Automation security bypasses or lack of rate limiting on authenticated endpoints
• Using the TikTok application for privilege escalation to attack the mobile operating system
• Arbitrary code execution on TikTok servers/clients
Is there a reward, bounty or CVE for confirmed vulnerabilities?
Please visit Rewards & Not Eligible for Reward sections in TikTok HackerOne Policy for more details about bounty.
How much time is needed before I can publish my findings?
We request that security researchers follow the Disclosure and Confidentiality Policy defined in TikTok HackerOne Policy.
Which web domains are within scope for TikTok?
Please visit In Scope section in TikTok HackerOne Policy for details.
How can I be notified that a security issue I've reported is being investigated?
The security issues reported will be evaluated based on criticality and business priority and go through our investigation triage pipeline accordingly. We will keep you informed of the progress of the case to the best of our ability.