Rumble Bug Bounty Program

Rumble is committed to maintaining the highest security standards. Through our Bug Bounty Program, we collaborate with security researchers who share this commitment and help us keep Rumble safe and secure.

How to report

Please send your vulnerability reports to this email address

To ensure timely triage, include all the details listed in the Report Quality section below.

Scope

The following domains are in scope for this program:

  • *.rumble.com
  • *.rumble.cloud
  • *.locals.com

Out of scope

The following activities are strictly out of scope and will not be rewarded:

  1. Social engineering (phishing, vishing, etc.)
  2. Denial of Service (DoS / DDoS) attacks
  3. Automated vulnerability scanning or brute force attacks without a clear PoC exploit

Rewards

Rewards are based on severity, impact, and report quality.

Typical maximum bounty: $1,000 USD

Exceptionally critical issues may be rewarded above this amount.

Low-quality, incomplete, or duplicate reports may not qualify for rewards.

Report quality

To maximize eligibility and reward, reports must include:

  1. Vulnerability Description – what the bug is
  2. Severity – e.g., critical, high, medium, low
  3. Impact – what an attacker could achieve
  4. Steps to Reproduce – detailed instructions with URLs, commands, screenshots, or video
  5. Recommendation – how you suggest fixing the issue

Payments

Rewards are paid to your Rumble account, after which you can initiate a transfer to PayPal.

Responsible Research

We ask all researchers to:

  1. Respect user privacy and do not access, modify, or delete customer data
  2. Avoid service disruption during testing
  3. Use test accounts where possible
  4. Give us a reasonable time to fix issues before public disclosure

Thank you for helping secure Rumble!

Rumble logo