Banner object (1)

Hack and Take the Cash !

816 bounties in database
  Back Link to program      
15/04/2019
iRobot logo
Thanks
Gift
Hall of Fame
Reward

Reward

100 $ 

iRobot

NOTE! [Please Read Fully Before Beginning Or Engaging In Any Testing]

  1. Please DO NOT use automated vulnerability scanners when testing against the in-scope targets (Zap/Burp/Acunetix/Nikto/Nessus/etc) - all of these tools have already been run, and are run on a recurring basis internally. Running any tools of this nature is largely an inefficient use of your time and resources.
  2. However, you ARE encourage to run any custom scripts or fuzzers that you or have developed (e.g. niche file or directly wordlists, etc); however, please keep your requests using these tools to UNDER 50 requests per second.
  3. In short, we strongly encourage researchers to perform manual testing by hand - this is where you're much more likely to achieve success, and a much better use of your time and resources, as opposed to running common tools that have already been used extensively against the in-scope targets, etc.
  4. Please be aware that Submissions found using pirated software will not be rewarded.
  5. Good luck, and happy hunting!

Additionally, please be aware that this program does not accept out of

scope submissions. Testing targets that are out of scope is strictly prohibited.


iRobot, the leading global consumer robot company, designs and builds robots that empower people to do more both inside and outside of the home. This program is testing iRobot's web applications, mobile applications, cloud APIs, and cloud-connected robots for vulnerabilities.


Ratings/Rewards

For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Rewards:

Financial rewards differ based on the tier of product the vulnerability was found in (see below for details).

Targets Eligible for Tier 1 Rewards

  • Any cloud API
  • Any cloud-connected iRobot robot

Targets Eligible for Tier 2 Rewards

  • iRobot Home - iOS
  • iRobot Home - Android
  • https://www.irobot.com
  • https://store.irobot.com

Category | Tier 1 (API/Robot) | Tier 2 (Mobile/Web properties)
---|---|---
P1 | $2,100-$2,500 | $1,200-$1,500
P2 | $1,200-$1,500 | $750-$1,000
P3 | $500-$750 | $300-$500
P4 | $100 | $100

Targets

In scope

Target name | Type
---|---
<https://store.irobot.com> | Website
<http://www.irobot.com> | Website
<https://itunes.apple.com/us/app/irobot-home/id1012014442?mt=8> | iOS
<https://play.google.com/store/apps/details?id=com.irobot.home> | Android
iRobot cloud-connected robot that you own (e.g., i7, 980, 960, 690, Braava, etc.) | Hardware

Out of scope

Target name | Type
---|---
<https://homesupport.irobot.com> | Website
irobot.in | Website

Testing is only authorized on the targets listed as In-Scope. Any domain/property of iRobot not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
Absolutely no out of scope submissions will be accepted at this time. Do not test anything that is not listed as In-Scope.


Quick Start:

  • Do not access, destroy, alter, or otherwise negatively impact iRobot customers, or customer data, in any way.
  • Do not perform any activities that would cause a denial of service (DoS), or distributed denial of service (DDoS), against iRobot products or services.
  • Ensure that you have fully read and understand the targets, exclusions, and rules below.
  • Understand the scope.
  • Note that bounties are awarded differently per product
  • To test robots, you will need a robot identifier (provided below or you can use your own if you own an iRobot cloud-connected robot) and either the iOS or Android iRobot Home application.

Target/testing Info:

Web Credentials

Credentials are self-provisioned on the iRobot site using your @bugcrowdninja.com email address. Additional user accounts can be created to perform horizontal (cross-account) testing using the same account creation process, using your @bugcrowdninja.com email address. We would like researchers to focus on testing the user account and associated functionality.

Testing order and payment workflow at store.irobot.com can be done with the following credit card information. Please do not input real information in orders for order testing purposes.

Shipping and Order Address: Must be valid address 
Name on Card: Any Name
CC#: 4111111111111111
CVV/CRV/CV2: 123
Expiration Date: Any date after current date

Robot IDs

Robot Identifiers are commonly found in API calls. If you do not have a robot to test with, you can use one of the following Robot IDs:

  • 6977840021925810
  • 3144460C10810750
  • 2A80AB73B5634DB9

Rules:

  • This bounty follows BugCrowd's Vulnerability Rating Taxonomy
  • This bounty follows BugCrowd's Standard Disclosure Terms
  • This bounty does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.
  • This program strictly prohibits any form of contact between Bugcrowd researchers and the iRobot support team. Please make all considerable efforts to avoid creating support tickets, messaging iRobot support, and/or attempting to elicit a response from iRobot's customer-focused business units. If you have questions or need to contact iRobot or Bugcrowd, please email support@bugcrowd.com. You must ensure that customer data or devices are not impacted in any way as a result of your testing. Ensure that you are not being destructive while testing and that you are only testing targets that are in-scope.
  • Submissions must be submitted in plain text formats. Supporting videos and images are fine as long as they are in standard, cross-platform formats. Submissions in other formats (e.g. DOCX, PDF, etc.,) will be asked to for resubmission in a plain text format.
  • We are not interested in vulnerabilities that only affect robots under your possession and control unless it can be demonstrated that the same vulnerability would impact another customer's robot, mobile device, account, etc.,

Focus Areas

Cloud/Robot/App

Due to the nature of our connected products, we are focused primarily on any vulnerabilities that could allow one user to affect any robots, mobile devices, or account information which do not belong to them. We are especially interested in any attacks that affect the entire robot fleet!

Other areas of interest:

  • Can you remotely install malware on another user's robot
  • Can you collect any user information without physical access to their robot or mobile device, including account information, persistent map information, user WiFi SSIDs, etc.
  • Can you control anyone else's robot remotely

As noted in the "out of scope" section below, we are interested if you can detail a vulnerability that would allow an actor to control or manipulate a robot not in their possession, but it is out of scope to actually control, deny service, or otherwise negatively impact a robot you do not own.

Web Applications

For our web applications we are interested in traditional web application vulnerabilities and other vulnerabilities that directly affect our customers or products. Some of these vulnerabilities include:

  • Cross-account data leakage or unauthorized access
  • Stored/Reflected/DOM-based Cross-Site Scripting (XSS)
  • SQL Injection (SQLi)
  • Server-side Remote Code Execution (RCE)
  • Server-side Request Forgery (SSRF)
  • Broken access controls (insecure direct object references, etc.)
  • Path/directory traversal

Out of Scope

  • Any access, destruction, alteration, public disclosure of, or otherwise negatively impacting attack against iRobot customers, customer data, or iRobot systems and/or data.
  • Any domain, property, product, protocol, or service of iRobot not explicitly listed in the In-Scope section is out of scope, including any and all iRobot domains and subdomains not listed above.
  • Any attack causing a denial of service (DoS), or distributed denial of service (DDoS) condition against iRobot products, services, or customers.
  • Any attacks against iRobot staff - including but not limited to social engineering, phishing, cold-calls, etc – are explicitly out-of-scope for this program.
  • Automated scanning tools are out of scope for this program.

Excluded Finding Types

The following finding types are specifically excluded from the bounty:

  • Fingerprinting or banner disclosure on public ports/services
  • Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain
  • Missing HTTP security headers, specifically:
    • HTTP Strict Transport Security (HSTS)
    • Public Key Pinning Extension for HTTP (HPKP)
    • X-Frame-Options
    • X-Frame-Options (Clickjacking)
    • X-XSS-Protection
    • X-Content-Type-Options
    • Content-Security-Policy
    • X-Permitted-Cross-Domain-Policies
    • Referrer-Policy
    • Expect-CT ** Feature-Policy
  • HTTP OPTIONS header
  • HTTP or DNS cache poisoning
  • Vulnerabilities in the WiFi spec
  • No load testing (DoS/DDoS) on the application(s) or network
  • Known vulnerabilities in used libraries, or reports of outdated libraries unless you can demonstrate exploitability

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name
android_application

https://play.google.com/store/apps/details?id=com.irobot.home

hardware

iRobot cloud-connected robot that you own (e.g., i7, 980, 960, 690, Braava, etc.)

ios_application

https://itunes.apple.com/us/app/irobot-home/id1012014442?mt=8

web_application

https://store.irobot.com

web_application

http://www.irobot.com

Out of Scope

Scope Type Scope Name
web_application

https://homesupport.irobot.com

web_application

irobot.in


The public program iRobot on the platform Bugcrowd has been updated on 2019-08-06, The lowest reward is 100 $.

FireBounty © 2015-2019

Legal notices