STAGING VERSION - Do NOT upload sensitive information - Real reports should not be submitted here

Aegis

Responsibly disclose vulnerabilities on Hack Club programs for bounties

View Programs Log in

Participating Programs

All Hack Club programs are under this security program. Here are some of our best programs to hack on:

program background
Campfire

Campfire

A worldwide game jam happening in 200+ cities on February 28th & March 1st. Find an event in your city!

program background
Shipwrecked

Shipwrecked

Shipwrecked is a game jam where you build a game in 48 hours.

program background
Hack Club Slack

Hack Club Slack

Join the Slack to find the community for your favorite programming language, ask for advice, or just hang out.

program background
Blueprint

Blueprint

Build cool hardware projects (or learn how to) and get up to $400 to make them real!

program background
Hack Clubs

Hack Clubs

Don't run your coding club alone. Make it a Hack Club and get free meeting content, stickers, and digital tools.

program background
Boba Drops

Boba Drops

Build your first website to get a free boba tea, or run a workshop to help others build theirs!

We have more than 100+ programs in total, you can view all of them on the programs page.

Payout Tiers

As a thank you for helping us keep Hack Club secure, we are offering bounties for finding vulnerabilities in our systems. The payouts are based on the severity of the vulnerability and the impact it has on our users.

Out of Scope

When reporting vulnerabilities, please consider possible attack scenario, and potential impact. Also note that any program not participating in this program is out of scope. While you are welcome to report issues regarding them, you are not guaranteed a payout. The following issues are generally considered to be out of scope (not a complete list):

  • Scraping public Slack information or account enumeration
  • Brute force attacks
  • Clickjacking without significant impact
  • Automated scanner outputs without real-world impact
  • Social engineering or phishing attacks
  • Self-exploitation requiring user interaction
  • Denial of Service causing resource exhaustion
  • Exploits related to the Slack or other third-party services that are out of our control

Our AI Policy

Bounty programs all around have seen AI-generated submissions that lack any real-world impact. While we support the use of AI as a tool to help improve your report, submissions that rely solely on AI, with no original researcher input, testing, or validation will be rejected and not considered for bounties. We value technical expertise, real evidence and original research. AI should support your research, not replace it.

Full Rules

This page is just a quick overview of our bounty program. The full rules can be found on the rules page. Please read the full rules before submitting a report. Thank you for your interest, and we look forward to your submissions!