Razer looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Response Targets

Razer will make a best effort to meet the following response targets for hackers participating in our program:

• Time to first response (from report submit) - 2 business days
• Time to triage (from report submit) - 10 business days
• Time to bounty (from triage) - 15 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• Follow HackerOne's disclosure guidelines __.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • In nearly all cases, a POC demonstrating an exploit will be required.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

System Scope

Our scopes are listed in the assets section below. Please refer to our bounty table regarding potential value. You may also see the valid systems listed in the "Instructions" section within the Scope section of the program.

Also please note that there are systems in the Razer.com domain or subdomains that are managed by third parties. Testing against those systems is not in scope. Examples of these out of scope systems include:

• software.razer.com
• resource.razer.com & amp.razer.com

Systems determined to be development only may not receive a bounty.

To emphasize for clarity: only vulnerabilities for the assets listed here are bounty eligible. We may consider a bounty for other Razer properties but will make no guarantee of an award.

• Synapse version 2.x and 3.x clients
• Cortex version 9.x client
• Razer Central client
• RazerPay Android application (Malaysia and Singapore)
• Razer Surround
• Razer Phone and Razer Phone 2
• Razer Peripherals specific firmware
• Razer Systems (e.g. Blade) specific firmware

Razer ID authentication platform:

• ec.razerzone.com
• oauth2.razerzone.com
• razer-id.razer.com

Razer Store:

• store.razer.com (Note that different regional settings may redirect to different servers)

Cortex platform:

• deals.razer.com

Razer Gold platform:

• gold.razer.com
• pay.gold.razer.com
• global.gold.razer.com
• paychannel.gold.razer.com
• reward.gold.razer.com
• topupapi.gold.razer.com
• webhookapi.gold.razer.com
• cms.gold.razer.com
• console.gold.razer.com
• silverconsole.gold.razer.com
• voucherconsole.gold.razer.com
• merchant.gold.razer.com
• zmerchant.gold.razer.com
• silvermerchant.gold.razer.com
• media.gold.razer.com
• ubuild.gold.razer.com
• wbuild.gold.razer.com

Razer Gold Thailand:

• sea-s2s.molthailand.com
• sea-s2s2.molthailand.com
• sea-sdk.molthailand.com
• sea-web.gold.razer.com
• dcb.gold.razer.com
• dcbgw.gold.razer.com
• thd-ibank.molthailand.com
• merchant-th.gold.razer.com
• serialonline.molthailand.com
• wpay.molthailand.com
• easy2pay.co/xxxxx
• api.easy2pay.co
• easytopup.in.th
• easyblizzard.com
• easypsn.com

Razer homepage:

• www.razer.com __
• www2.razer.com
• careers.razer.com
• developer.razer.com
• insider.razer.com
• music.razer.com
• press.razer.com
• support.razer.com and *.razersupport.com

Content servers:

• dl.razer.com

Mobile servers:

• themes.razerzone.com
• mobileservices.razerzone.com

THX primary websites:
*.thx.com

Code vulnerabilities in the Razer Merchant Services (MOLPay) Mobile SDK that could lead to a compromise of user data: https://www.molpay.com/v3/features/mobile-xdk/ __

Razer owned AWS S3 buckets

Out of scope vulnerabilities for this bounty program

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.

The following issues are considered out of the scope of the bounty program as standalone vulnerabilities:

• Clickjacking on pages with no sensitive actions.
• Unauthenticated/logout/login CSRF.
• Attacks requiring physical access to a user's device.
• Attacks that require social engineering or other forms of user deception to complete an exploit. This includes subdomain takeovers and certain forms of CSS.
• Attacks requiring online brute force, such as password / two factor permutations against live systems.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS / DDoS)
• Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS.
• Mixed content warnings.
• "HTTP Host Header" XSS without proof of exploitability
• Clickjacking/UI redressing without sensitive state actions occurring on the page
• Physical or social engineering attacks
• Results of automated tools or scanners
• Login/logout/unauthenticated/low-impact CSRF
• Presence of autocomplete attribute on web forms
• “Best practice” claims, such as password strength or rate limiting issues without a demonstrated exploit.
• Directory listings, private IP, or other information leaks
• Use of a known vulnerable library.
• Descriptive/verbose/unique error pages
• Missing security-related HTTP headers.
• Attacks that require administrative access to the default installation location of Razer applications.
• Not all attacks requiring MITM or physical access to a user's device may be accepted. These will be reviewed on a case by case basis.

Note that leveraging such vulnerabilities in combination to demonstrate customer PII data exfiltration in a PoC would be considered in scope.

The scope of this program will be strictly enforced, regardless of the potential security impact. Note that we may accept reports for out of scope vulnerabilities and possibly fix them, but we will not award a bounty regardless.

Other notes

• Web session (Razer ID) authentication issues must have a demonstrated exploit PoC that shows the compromise of customer information.
• We may or may not award a bounty for the exposure of closed-source Razer source code. This will be at Razer’s discretion.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Razer and our users safe!