|Scope Type||Scope Name|
Out of Scope
|Scope Type||Scope Name|
|other||Content Delivery Network (CDN) servers|
|other||Social media accounts (Facebook, Twitter, etc.)|
Robinhood is a U.S. based financial services company headquartered in Menlo Park, California. The Robinhood platform lets you invest in U.S. stocks, ETFs, options, and certain cryptocurrencies, without paying commission fees. We believe that exceptionally engineered systems are the cornerstones of establishing trust, and recognize the importance of security researchers in helping us keep our platform secure. We encourage responsible disclosure of security vulnerabilities and will award bounties commensurate with the severity of the issue.
If you are able to identify a security vulnerability (e.g., executing an attack and gaining access to our systems, accounts, or any other type of sensitive data), we ask that you make every effort to not leak data or damage the integrity of our systems and report the issue privately to us via this program. Specifically, this means:
Due to the nature of our business, we ask that you also follow these guidelines:
Social engineering attacks, including phishing attacks, against Robinhood employees or customers are not considered in the scope of this program.
The minimum payout is $100 USD and an entry in our hall of fame for reporting a previously unknown security vulnerability of sufficient severity. Higher amounts are awarded according to the severity of the vulnerability in accordance with the guidelines below. Final determination of the eligibility and severity of the issue will be made by and at the sole discretion of the Robinhood Security Team. We are most concerned with vulnerabilities that could result in financial and/or data loss.
We use the following table as guidelines for determining reward amounts:
Vulnerability | Reward
Remote Code Execution (RCE) | $25,000 - $50,000
Significant Accounting Manipulation | $15,000 - $25,000
SQL Injection | $15,000 - $25,000
Significant Authentication / Authorization Bypass | $10,000 - $20,000
Significant Cross Site Scripting / Cross Site Request Forgery | $10,000 - $20,000
Sensitive Data Exposure | $2,500 - $5,000
Other Authentication / Authorization Bypass | $500 - $5,000
Other Cross Site Scripting / Cross Site Request Forgery | $500 - $5,000
Open Redirect | $100
Significant , as used above, means vulnerabilities which could reasonably result in non-trivial financial loss for Robinhood or its customers.
Sensitive Data , as used above, means personally identifiable information about Robinhood users such as, and not limited to, mailing addresses, social security numbers, or password hashes.
Researchers who provide valuable reports may be given early access to Robinhood’s latest features at the security team’s discretion. This may include early access to features that would otherwise be subject to Robinhood’s waitlists.
Eligibility is limited to the in-scope domains and applications listed at the bottom of this page. Valid vulnerabilities on any domain not explicitly listed as in scope will be accepted but are ineligible for a reward. Software components used within Robinhood (e.g. Django) are eligible and may be exploited in your vulnerability testing. Note that bugs in third party components only qualify if we determine that they can be used to successfully exploit Robinhood. Researchers must be the first to identify and report a previously unknown vulnerability to be eligible for an award.
Vulnerability reports must be submitted via HackerOne or to Robinhood directly at email@example.com.
Vulnerabilities found in third party apps integrating with the Robinhood API should be reported to the responsible developer. You should only report vulnerabilities found in third party apps to Robinhood under this program if you do not receive a satisfactory response from the responsible developer. Vulnerabilities in third party apps are not eligible for rewards, but we do appreciate being made aware of them.
The following types of vulnerabilities are not eligible under this program:
If you have any questions about the rules and scope of the bounty program, you can email us at firstname.lastname@example.org