Policy

Our Mission

Roblox is ushering in the next generation of entertainment, allowing kids of all ages to imagine, create, and play together in an immersive, user-generated 3D world. We call it the “Imagination Platform” and invite everyone to play on it.

We recognize the important role that our user community and a community of security researchers play in helping to keep Roblox and our community safe. If you think you’ve found a security issue on any of the scopes we have listed, please inform us via our program on HackerOne using the guidelines below.

Roblox reserves the right to choose to address or not address any reported vulnerabilities.

Program Rules

To participate in Roblox’s security bug bounty program, we request that you abide by the following rules. These are fairly standard requirements for most programs, but if you have any questions or feedback on these rules, please let us know at support@hackerone.com. (please do not submit bugs to this alias).

Roblox reserves the right to modify the terms of this policy at any time.

Handling Data

• Your participation in the Roblox bug bounty program generally prohibits you from collecting, accessing, viewing, storing, altering or otherwise using data of Roblox users.

• While testing, take measures to avoid accessing user data or affecting other users’ experiences. Please localize testing to your own test accounts wherever possible. If private user data is accessed during your security testing, please notify us immediately.

• If you have found an issue that may require touching other users’ data to verify, please contact us first for guidance on how to safely test for such issues.

• In exceptional cases in which data of Roblox users is accessed and used for the security testing please restrict the data use to the extent that is crucially necessary to conduct proper security testing. This particularly means that you only use user data of very few Roblox users and that you limit the amount of the specific user data to the scope that is necessary for the specific testing measure.

• In case of accessing user data for testing purposes, please ensure to take measures to prevent unauthorized access, alteration or deletion of the user data. You may not use the user data for any purposes other than participating in the Roblox bug bounty program and conducting the security testing.

• You may not use the user data accessed during the security testing to contact Roblox users for any reason; including informing them about the security testing.

• After completing the testing, you must delete any user data from your systems irrevocably. We reserve the right to demand proof of proper deletion.

• You must refrain from sharing user data with others or publish user data.

• A violation of these data protection obligations may lead to exclusion from the bug bounty program. In the event of infringement, Roblox reserves the right to reclaim already awarded bounties. Infringing data protection laws, including the European General Data Protection Regulation (GDPR), can result in substantial fines and/or users may be entitled to damages.

Testing

• If you are aware that your attacks may harm the reliability or integrity of our services or data, stop immediately and contact us

• Vulnerabilities found through DDoS/spam attacks are not allowed

• Never attempt non-technical attacks such as social engineering (e.g. phishing, vishing, smishing) or physical attacks against our employees, users, or infrastructure

• Recently disclosed 0-day vulnerabilities are not eligible, unless you have a working poc exploit.

• Follow HackerOne’s disclosure guidelines

• When testing, please include the string "hackeronetest-<your-roblox-userid>" at the end of your user agent so we can more easily identify traffic that is coming from the bug bounty program.

• For any report involving the Roblox Client or Roblox Studio, include the version

• In Studio, click File > About Roblox Studio

• For client, the version is shown in the properties of the exe file, normally located at %APPDATA%..\Local\Roblox\Versions<version>\RobloxPlayerBeta.exe. There are typically two folders, one for client, one for studio.

• Report the approximate date/time/timezone of the most recent test of the issue

• Please do NOT contact our customer support team or employees out of band to contest or escalate a report; all inquiries should happen on the report itself. Failure to follow this rule may result in a bounty not being paid out and repeat offenses can lead to removal from the bug bounty program

Response Targets

Roblox will endeavor to meet the following SLAs for hackers participating in our program:

• Time to first response (from report submit): 2 business days

• Time to triage (from report submit): 2-10 business days

• Time to bounty (from triage): 10-20 business days

• We’ll try to keep you informed about our progress throughout the process

Disclosure Policy

While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited and will result in disqualification from the Bug Bounty Program and, if necessary, referral of your conduct to law enforcement:

• Disclosing any vulnerabilities or suspected vulnerabilities you discover to any other person without explicit Roblox authorization

• Disclosing the contents of any submission to our program without explicit Roblox authorization

• Accessing private information of any person stored on a Roblox product or service – You must use test accounts

• Sharing or publishing Roblox user data

• Accessing sensitive information (e.g. credentials)

• Performing actions that may negatively affect Roblox or its users (e.g. Spam, Brute force, Denial of Service)

• Conducting any kind of physical attack on Roblox personnel, property or data centers

• Social engineering any Roblox help desk, employee or contractor

• Exfiltrating data. Please test only the minimum necessary to validate a vulnerability (we can verify if data exfiltration would be possible from a vulnerability, and will reward with the impact in mind)

• Violating any laws or regulations or breaching any agreements in order to discover vulnerabilities

Out-of-scope Vulnerabilities

When reporting vulnerabilities, please consider (1) how easily/realistically exploitable the bug is (what’s the attack scenario?) and (2) what is the security impact of the bug? If a bug is not easily exploitable or does not have a significant security impact, it is less likely to qualify for a bounty.

The following vulnerabilities typically will not qualify for Roblox’s program:

• Vulnerabilities previously disclosed through the program or otherwise known to Roblox or to the public

• User account hacks that require user interaction

• Chat filter bugs

• Missing autocomplete attributes

• Missing flags on cookies that don’t house any sensitive information

• SSL/TLS scan reports (this means output from sites such as SSL Labs) and SSL/TLS version related vulnerabilities

• Missing security-related HTTP headers which do not lead directly to a vulnerability. Issues that only affect a smaller user base (e.g. users on outdated browsers or other outdated software).

• Vulnerabilities that are used for volumetric DDoS/DoS/Spam attacks are out of scope. But the vulnerabilities in the Roblox data model, which can be used by exploiters specifically for crashing the game servers, is strongly encouraged to be reported.

• Cross-site Request Forgery (CSRF) with minimal security implications (Login/logout/unauthenticated)

• Version information disclosure (without verifying the presence of an actual exploitable vulnerability)

• Password complexity related vulnerabilities

• Unverified or incomplete "Scanner output" or scanner-generated reports

• Vulnerabilities requiring physical access to the victim's unlocked device

• Bugs requiring exceedingly unlikely user interaction

• Disclosure of information already in public domain or information previously disclosed by Roblox

• Disclosure of public information and information that does not present significant risk

• Vulnerabilities that Roblox determines to be an accepted risk will not be eligible for a paid bounty

• Language used in emails and policy documents

• SPF, DKIM or DMARC issues on sub-domains of roblox.com

• HTML injection vulnerabilities with no direct risk

• Social engineering or following a link will not be considered for bounty

• Self XSS or similar vulnerabilities

• Vulnerabilities found on *.ra.roblox.com that do not affect release servers