Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
05/12/2016
Robinhood logo
Thanks
Gift
Hall of Fame
Reward

Reward

100 $ 

In Scope

Scope Type Scope Name
android_application com.robinhood.android
ios_application com.robinhood.release.Robinhood
web_application nummus.robinhood.com
web_application api.robinhood.com
web_application robinhood.com

Out of Scope

Scope Type Scope Name
other Content Delivery Network (CDN) servers
other Social media accounts (Facebook, Twitter, etc.)
web_application support.robinhood.com
web_application share.robinhood.com
web_application blog.robinhood.com

Robinhood

Robinhood Bug Bounty Program

Robinhood is a U.S. based financial services company headquartered in Menlo Park, California. The Robinhood platform lets you invest in U.S. stocks, ETFs, options, and certain cryptocurrencies, without paying commission fees. We believe that exceptionally engineered systems are the cornerstones of establishing trust, and recognize the importance of security researchers in helping us keep our platform secure. We encourage responsible disclosure of security vulnerabilities and will award bounties commensurate with the severity of the issue.

Responsible Disclosure

If you are able to identify a security vulnerability (e.g., executing an attack and gaining access to our systems, accounts, or any other type of sensitive data), we ask that you make every effort to not leak data or damage the integrity of our systems and report the issue privately to us via this program. Specifically, this means:

  • Provide us with a reasonable amount of time to fix the issue before publishing it elsewhere
  • Provide us with details (code, endpoints, etc.) of the vulnerability so we can find and fix it
  • Do not leak, tamper, or destroy any Robinhood data
  • Do not defraud Robinhood users or Robinhood itself (by making or enabling fraudulent transactions)
  • Do not create a large number of user accounts or fake data records

Special Considerations

Due to the nature of our business, we ask that you also follow these guidelines:

  • Do not perform resource intensive tests which could result in downtime for our services when the stock market is open (Mon-Fri, 8:30AM - 6:00PM US/Eastern)
  • Do not make financial transactions (money transfers, stock trades, etc.) with compromised user accounts

Social Engineering

Social engineering attacks, including phishing attacks, against Robinhood employees or customers are not considered in the scope of this program.

Rewards

The minimum payout is $100 USD and an entry in our hall of fame for reporting a previously unknown security vulnerability of sufficient severity. Higher amounts are awarded according to the severity of the vulnerability in accordance with the guidelines below. Final determination of the eligibility and severity of the issue will be made by and at the sole discretion of the Robinhood Security Team. We are most concerned with vulnerabilities that could result in financial and/or data loss.

We use the following table as guidelines for determining reward amounts:

Vulnerability | Reward
---|---
Remote Code Execution (RCE) | $25,000 - $50,000
Significant Accounting Manipulation | $15,000 - $25,000
SQL Injection | $15,000 - $25,000
Significant Authentication / Authorization Bypass | $10,000 - $20,000
Significant Cross Site Scripting / Cross Site Request Forgery | $10,000 - $20,000
Sensitive Data Exposure | $2,500 - $5,000
Other Authentication / Authorization Bypass | $500 - $5,000
Other Cross Site Scripting / Cross Site Request Forgery | $500 - $5,000
Open Redirect | $100

Significant , as used above, means vulnerabilities which could reasonably result in non-trivial financial loss for Robinhood or its customers.

Sensitive Data , as used above, means personally identifiable information about Robinhood users such as, and not limited to, mailing addresses, social security numbers, or password hashes.

Early Access To Beta Features

Researchers who provide valuable reports may be given early access to Robinhood’s latest features at the security team’s discretion. This may include early access to features that would otherwise be subject to Robinhood’s waitlists.

Eligibility

Eligibility is limited to the in-scope domains and applications listed at the bottom of this page. Valid vulnerabilities on any domain not explicitly listed as in scope will be accepted but are ineligible for a reward. Software components used within Robinhood (e.g. Django) are eligible and may be exploited in your vulnerability testing. Note that bugs in third party components only qualify if we determine that they can be used to successfully exploit Robinhood. Researchers must be the first to identify and report a previously unknown vulnerability to be eligible for an award.

Vulnerability reports must be submitted via HackerOne or to Robinhood directly at bugbounty@robinhood.com.

Vulnerabilities found in third party apps integrating with the Robinhood API should be reported to the responsible developer. You should only report vulnerabilities found in third party apps to Robinhood under this program if you do not receive a satisfactory response from the responsible developer. Vulnerabilities in third party apps are not eligible for rewards, but we do appreciate being made aware of them.

The following types of vulnerabilities are not eligible under this program:

  • Physical attacks against Robinhood employees, offices, or data centers
  • Social engineering of Robinhood employees or users (e.g. phishing)
  • Denial of service (SYN floods, Slowloris attacks, etc.)
  • Vulnerabilities in third party integrations with the Robinhood API
  • Vulnerabilities that are strictly client side
  • Vulnerabilities that require physical access, rooted / jailbroken devices, or debug access to a user’s device
  • Issues in our blog (https://blog.robinhood.com __) and social media accounts (Facebook, Twitter, etc.)
  • Issues in our support platform (https://support.robinhood.com __)
  • Logout CSRF
  • User existence / user enumeration
  • Text-only injection in error pages
  • Unconfirmed reports from automated vulnerability scanners
  • Server and software versions in HTTP response headers
  • Lack of password complexity restrictions

If you have any questions about the rules and scope of the bounty program, you can email us at bugbounty@robinhood.com

FireBounty © 2015-2019

Legal notices