Banner object (1)

Hack and Take the Cash !

756 bounties in database
Razer US logo

100 $ 

Razer US

Razer looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. Razer will make a best effort to respond to incoming reports within 3 business days and make a determination after validating a legitimate security issue within 10 business days. We’ll try to keep you informed about our progress throughout the process.

Eligibility & Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Follow HackerOne's disclosure guidelines.
  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only recognize the first report that was received (provided that it can be fully reproduced).

Program Rules

  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, alteration/destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.


For now, only the following properties are in scope. We are starting small and will scale up over time.
(Note the domain is legacy and should redirect to, with a few exceptions as listed.)

Razer homepage and store:

  • __
  • and *

Cortex platform:


Authentication platform:


zVault platform:


Content servers:


Mobile servers:



  • Synapse client
  • Cortex client
  • Razer Central client


Anything that is not listed in the scope policy above is strictly out-of- scope, including other * servers. This also includes third party sites that are the result of a redirection from Razer store, such as payment processing. Some examples of these types of servers that are not in scope include:

  • &

We will be expanding scope gradually.

Note: If you do report an issue on an out of scope system, we may choose to address it if risk warrants, but in fairness to other testers, we will not grant reputation regardless of resolution.

Reporting issues

Please submit your security issue to Razer US via HackerOne. Please provide as much detail as you can (URLs, etc.) and the steps to reproduce the issue. We commit to responding to your report as soon as possible !
At this time, we are not awarding bounties or cash rewards for reported vulnerabilities. However, researchers will earn HackerOne reputation based on the merit of reported vulnerabilities, which may help qualify them for private bug bounty programs in the future.

Critical severity bugs:

Examples of issues that Razer would consider critical impact include:

  • Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, data exfiltration, etc.
  • Types of vulnerabilities that may result in these impacts include:
    • Remote Code Execution
    • Vertical Authentication bypass
    • SQL Injection that leaks targeted data

High severity bugs:

Examples of issues that Razer would consider high impact include:

  • Types of vulnerabilities that may result in these impacts include:
    • Lateral authentication bypass
    • Stored XSS (excluding unexploitable self-XSS)
    • Local file inclusion
    • Insecure handling of authentication cookies
    • CSRF depending on impact

Medium severity bugs:

Examples of issues that Razer would consider medium impact include:

  • Types of vulnerabilities that may result in these impacts include:
    • Reflected XSS
    • Insecure Direct Object References
    • CSRF on sensitive actions and functions
    • URL Redirect

Low severity bugs:

Examples of issues that Razer would consider low impact include:

  • Types of vulnerabilities that may result in these impacts include:
    • Rate limiting issues that have a demonstrable impact
    • Leaks of less sensitive information that has a demonstrable impact
    • Directory listings
    • Information leaks
    • Subdomain takeovers for domains no longer in use

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Missing cookie flags
  • SSL/TLS best practices
  • Mixed content warnings
  • Attacks requiring physical access to a user's device
  • "HTTP Host Header" XSS (without proof of exploitability)
  • Clickjacking/UI redressing without sensitive state actions occurring on the page
  • Physical or social engineering attacks
  • Results of automated tools or scanners
  • Login/logout/unauthenticated/low-impact CSRF
  • Presence of autocomplete attribute on web forms
  • Use of a known-vulnerable library (without proof of exploitability)
  • Descriptive/verbose/unique error pages (without proof of exploitability)
  • Missing security-related HTTP headers which do not lead directly to a vulnerability

Thank you for helping keep and our users safe!

Hall of Fame

List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2019