Robinhood
Welcome to the Robinhood Bug Bounty Program! We’re excited to work more closely with you on discovering bugs in Robinhood. If you have any questions on our program, please email bugbounty@robinhood.com or find us on Bug Bounty Forum. Thank you for helping keep Robinhood and our users safe!
By submitting reports to our program, you agree that you’ve read, understood, and will follow our Program Rules and overall Program Policy.
Be careful with sensitive information. If sensitive information such as personal information or user credentials are uncovered as part of your research, stop and report it to us immediately. Do not save, store, copy, or otherwise retain sensitive information, and work with us on any additional requests we may have.
Test responsibly. Only interact with and test bugs against accounts you own. Reach out to us if you need help with testing cross-account issues.
Do not cause harm. Do not engage in activities that disrupt, damage, or otherwise cause harm to or defraud Robinhood, our users, our employees, or our brand—including denial of service attacks, social engineering, phishing, spam, social media scams, fraudulent transactions, or physical attacks.
Violation of any of our Program Rules may result in (but is not limited to) ineligibility for a bounty and/or permanent disqualification and removal from the Robinhood Bug Bounty Program.
Due to the nature of our business, we ask that you also follow these guidelines:
Do not perform resource intensive tests which could result in disruption or downtime for our services when the stock market is open (Mon-Fri, 8:30AM - 6:00PM US/Eastern).
Do not make financial transactions with other user accounts.
Robinhood also maintains a VIP Bug Bounty Program, which allows access to pre-release features in advance of their launch before the general public. Researchers who participate in our program may be invited to join the VIP Program based on the quality and consistency of their reports, with at least 3-5 reports submitted over time.
To be eligible to participate in any Robinhood Bug Bounty Program, you must:
Be at least 18 years of age and meet Robinhood account requirements if you test using a Robinhood account
Not be employed by Robinhood as an employee, contingent worker, or contractor (including individuals who separated from Robinhood within the prior 12 months) or be an immediate family member of a current or former Robinhood employee, contingent worker, or contractor
Not be a resident of or an individual located within a country appearing on any U.S. sanctions lists, as administered by the Office of Foreign Assets Control (OFAC)
Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to the Bug Bounty Program
Our program calculates bounties for reports based on a sliding CVSSv3 scale, calculated by HackerOne; the higher the issue’s score, the higher your bounty will be. We’ll use lower environmental scores for assets that are less important to Robinhood. We encourage rating your issues with CVSS before submission, but know that we may have to make adjustments in the event the score isn’t representative of the true impact. Final determination of the eligibility and severity of the issue will be made by and at the sole discretion of the Robinhood Security Team.
Eligibility is limited to domains and properties owned and operated by Robinhood and its acquisitions. Software components used within Robinhood are eligible and may be exploited in your vulnerability testing. Note that bugs in third-party components only qualify if we determine that they can be used to successfully exploit Robinhood.
We consider most informative-type issues to be out of scope, like SPF issues. If most other bug bounty programs exclude it, we likely would too. To keep it brief, we’ll only enumerate the most important issues to avoid testing or reporting.
Physical attacks against Robinhood employees, offices, or data centers
Social engineering attacks against Robinhood employees or users, including phishing
Vulnerabilities in third-party integrations with the Robinhood API
Vulnerabilities that require physical access, rooted / jailbroken devices, or debug access to a user’s device
Denial of service without prior authorization
If you have any questions about the rules or scope of the Robinhood Bug Bounty Program, please reach out to us at bugbounty@robinhood.com or on Bug Bounty Forum.
All investments involve risk and loss of principal is possible.
Robinhood Financial LLC (member SIPC), is a registered broker dealer. Robinhood Securities, LLC (member SIPC), is a registered broker dealer and provides brokerage clearing services. Cryptocurrency services are offered through an account with Robinhood Crypto, LLC (NMLS ID 1702840). All are subsidiaries of Robinhood Markets, Inc. (‘Robinhood’).
© 2022 Robinhood Markets, Inc.
| Scope Type | Scope Name |
|---|---|
| android_application | com.robinhood.android |
| ios_application | com.robinhood.release.Robinhood |
| web_application | *.robinhood.com |
| web_application | *.robinhood.net |
| web_application | *.rhinternal.net |
Firebounty have crawled on 2016-12-05 the program Robinhood on the platform Hackerone.
FireBounty © 2015-2024
