45466 policies in database
Link to program      
2016-12-05
2019-08-03
Robinhood logo
Thank
Gift
HOF
Reward

Reward

100 $ 

Robinhood

Welcome to the Robinhood Bug Bounty Program! We’re excited to work more closely with you on discovering bugs in Robinhood. If you have any questions on our program, please email bugbounty@robinhood.com or find us on Bug Bounty Forum. Thank you for helping keep Robinhood and our users safe!

Rules of Engagement

By submitting reports to our program, you agree that you’ve read, understood, and will follow our Program Rules and overall Program Policy.

Program Rules

  • Be careful with sensitive information. If sensitive information such as personal information or user credentials are uncovered as part of your research, stop and report it to us immediately. Do not save, store, copy, or otherwise retain sensitive information, and work with us on any additional requests we may have.

  • Test responsibly. Only interact with and test bugs against accounts you own. Reach out to us if you need help with testing cross-account issues.

  • Do not cause harm. Do not engage in activities that disrupt, damage, or otherwise cause harm to or defraud Robinhood, our users, our employees, or our brand—including denial of service attacks, social engineering, phishing, spam, social media scams, fraudulent transactions, or physical attacks.

Violation of any of our Program Rules may result in (but is not limited to) ineligibility for a bounty and/or permanent disqualification and removal from the Robinhood Bug Bounty Program.

Special Considerations

Due to the nature of our business, we ask that you also follow these guidelines:

  • Do not perform resource intensive tests which could result in disruption or downtime for our services when the stock market is open (Mon-Fri, 8:30AM - 6:00PM US/Eastern).

  • Do not make financial transactions with other user accounts.

VIP Program

Robinhood also maintains a VIP Bug Bounty Program, which allows access to pre-release features in advance of their launch before the general public. Researchers who participate in our program may be invited to join the VIP Program based on the quality and consistency of their reports, with at least 3-5 reports submitted over time.

Eligibility to Participate

To be eligible to participate in any Robinhood Bug Bounty Program, you must:

  • Be at least 18 years of age and meet Robinhood account requirements if you test using a Robinhood account

  • Not be employed by Robinhood as an employee, contingent worker, or contractor (including individuals who separated from Robinhood within the prior 12 months) or be an immediate family member of a current or former Robinhood employee, contingent worker, or contractor

  • Not be a resident of or an individual located within a country appearing on any U.S. sanctions lists, as administered by the Office of Foreign Assets Control (OFAC)

  • Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to the Bug Bounty Program

Rewards

Our program calculates bounties for reports based on a sliding CVSSv3 scale, calculated by HackerOne; the higher the issue’s score, the higher your bounty will be. We’ll use lower environmental scores for assets that are less important to Robinhood. We encourage rating your issues with CVSS before submission, but know that we may have to make adjustments in the event the score isn’t representative of the true impact. Final determination of the eligibility and severity of the issue will be made by and at the sole discretion of the Robinhood Security Team.

Eligibility is limited to domains and properties owned and operated by Robinhood and its acquisitions. Software components used within Robinhood are eligible and may be exploited in your vulnerability testing. Note that bugs in third-party components only qualify if we determine that they can be used to successfully exploit Robinhood.

Out of Scope

We consider most informative-type issues to be out of scope, like SPF issues. If most other bug bounty programs exclude it, we likely would too. To keep it brief, we’ll only enumerate the most important issues to avoid testing or reporting.

  • Physical attacks against Robinhood employees, offices, or data centers

  • Social engineering attacks against Robinhood employees or users, including phishing

  • Vulnerabilities in third-party integrations with the Robinhood API

  • Vulnerabilities that require physical access, rooted / jailbroken devices, or debug access to a user’s device

  • Denial of service without prior authorization

If you have any questions about the rules or scope of the Robinhood Bug Bounty Program, please reach out to us at bugbounty@robinhood.com or on Bug Bounty Forum.


All investments involve risk and loss of principal is possible.

Robinhood Financial LLC (member SIPC), is a registered broker dealer. Robinhood Securities, LLC (member SIPC), is a registered broker dealer and provides brokerage clearing services. Cryptocurrency services are offered through an account with Robinhood Crypto, LLC (NMLS ID 1702840). All are subsidiaries of Robinhood Markets, Inc. (‘Robinhood’).

© 2022 Robinhood Markets, Inc.

In Scope

Scope Type Scope Name
android_application

com.robinhood.android

ios_application

com.robinhood.release.Robinhood

web_application

*.robinhood.com

web_application

*.robinhood.net

web_application

*.rhinternal.net


Firebounty have crawled on 2016-12-05 the program Robinhood on the platform Hackerone.

FireBounty © 2015-2024

Legal notices | Privacy policy