Roblox is ushering in the next generation of entertainment, allowing kids of
all ages to imagine, create, and play together in an immersive, user-generated
3D world. We call it the “Imagination Platform” and invite everyone to play on
We recognize the important role that our user community and a community of
security researchers play in helping to keep Roblox and our community safe. If
you think you’ve found a security issue on any of the scopes we have listed,
please inform us via our program on HackerOne using the guidelines below.
To participate in Roblox’s security bug bounty program , we request that
you abide by the following rules. These are fairly standard requirements for
most programs, but if you have any questions or feedback on these rules,
please let us know at firstname.lastname@example.org. (please do not submit bugs to this alias).
- Your participation in the Roblox bug bounty program generally prohibits you from collecting, accessing, viewing, storing, altering or otherwise using data of Roblox users.
- While testing, take measures to avoid accessing user data or affecting other users’ experiences. Please localize testing to your own test accounts wherever possible. If private user data is accessed during your security testing, please notify us immediately.
- If you have found an issue that may require touching other users’ data to verify, please contact us first for guidance on how to safely test for such issues.
- In exceptional cases in which data of Roblox users is accessed and used for the security testing please restrict the data use to the extent that is crucially necessary to conduct proper security testing. This particularly means that you only use user data of very few Roblox users and that you limit the amount of the specific user data to the scope that is necessary for the specific testing measure.
- In case of accessing user data for testing purposes, please ensure to take measures to prevent unauthorized access, alteration or deletion of the user data. You may not use the user data for any purposes other than participating in the Roblox bug bounty program and conducting the security testing.
- You may not use the user data accessed during the security testing to contact Roblox users for any reason; including informing them about the security testing.
- After completing the testing, you must delete any user data from your systems irrevocably. We reserve the right to demand proof of proper deletion.
- You must refrain from sharing user data with others or publish user data.
- A violation of these data protection obligations may lead to exclusion from the bug bounty program. In the event of infringement, Roblox reserves the right to reclaim already awarded bounties. Infringing data protection laws, including the European General Data Protection Regulation (GDPR), can result in substantial fines and/or users may be entitled to damages.
- If you are aware that your attacks may harm the reliability or integrity of our services or data, stop immediately and contact us
- Vulnerabilities found through DDoS/spam attacks are not allowed
- Never attempt non-technical attacks such as social engineering (e.g. phishing, vishing, smishing) or physical attacks against our employees, users, or infrastructure
- Recently disclosed 0day vulnerabilities are not eligible, unless you have a working poc exploit.
- Follow HackerOne’s disclosure guidelines
- When testing, please include the string "hackeronetest-" at the end of your user agent so we can more easily identify traffic that is coming from the bug bounty program.
- For any report involving the Roblox Client or Roblox Studio, include the version
- In Studio, click File > About Roblox Studio
- For client, the version is shown in the properties of the exe file, normally located at %APPDATA%..\Local\Roblox\Versions\RobloxPlayerBeta.exe. There are typically two folders, one for client, one for studio.
- Report the approximate date/time/timezone of the most recent test of the issue
- Please do NOT contact our customer support team or employees out of band to contest or escalate a report; all inquiries should happen on the report itself. Failure to follow this rule may result in a bounty not being paid out and repeat offenses can lead to removal from the bug bounty program
Roblox will make a best effort to meet the following SLAs for hackers
participating in our program:
- Time to first response (from report submit): 2 business days
- Time to triage (from report submit): 2-10 business days
- Time to bounty (from triage): 10-20 business days
- We’ll try to keep you informed about our progress throughout the process
While we encourage you to discover and report to us any vulnerabilities you
find in a responsible manner, the following conduct is expressly prohibited
and will result in disqualification from the Bug Bounty Program:
- Disclosing any vulnerabilities or suspected vulnerabilities you discover to any other person without explicit Roblox authorization
- Disclosing the contents of any submission to our program without explicit Roblox authorization
- Accessing private information of any person stored on a Roblox product or service – You must use test accounts
- Sharing or publishing Roblox user data
- Accessing sensitive information (eg. credentials)
- Performing actions that may negatively affect Roblox or its users (e.g. Spam, Brute force, Denial of Service)
- Conducting any kind of physical attack on Roblox personnel, property or data centers
- Social engineering any Roblox help desk, employee or contractor
- Exfiltrating data. Please test only the minimum necessary to validate a vulnerability (we can verify if data exfiltration would be possible from a vulnerability, and will reward with the impact in mind)
- Violating any laws or breaching any agreements in order to discover vulnerabilities
When reporting vulnerabilities, please consider (1) how easily/realistically
exploitable the bug is (what’s the attack scenario?) and (2) what is the
security impact of the bug? If a bug is not easily exploitable or does not
have a significant security impact, it is less likely to qualify for a bounty.
The following vulnerabilities typically will not qualify for Roblox’s program:
- User account hacks that require user interaction
- Chat filter bugs
- Missing autocomplete attributes
- Missing flags on cookies that don’t house any sensitive information
- SSL/TLS scan reports (this means output from sites such as SSL Labs) and SSL/TLS version related vulnerabilities
- Missing security-related HTTP headers which do not lead directly to a vulnerability. Issues that only affect a smaller user base (e.g. users on outdated browsers or other outdated software).
- Denial of Service vulnerabilities (DoS)
- Cross-site Request Forgery (CSRF) with minimal security implications (Login/logout/unauthenticated)
- Version information disclosure (without verifying the presence of an actual exploitable vulnerability)
- Password complexity related vulnerabilities
- Unverified or incomplete "Scanner output" or scanner-generated reports
- Vulnerabilities requiring physical access to the victim's unlocked device
- Bugs requiring exceedingly unlikely user interaction
- Disclosure of public information and information that does not present significant risk
- Vulnerabilities that Roblox determines to be an accepted risk will not be eligible for a paid bounty
- Language used in emails and policy documents
- SPF, DKIM or DMARC issues on sub-domains of roblox.com
- HTML injection vulnerabilities with no direct risk
- Social engineering or following a link will not be considered for bounty
- Self XSS or similar vulnerabilities
Firebounty have crawled on 2020-01-28 the programe Roblox on the platform Hackerone.