Roblox is already the world’s largest gaming platform the place children can think about, create, and play in an interactive and immersive 3D gaming expertise. In striving in direction of offering the most effective buyer expertise and as a way to scale back safety points, Roblox has its personal Bug Bounty Program the place safety lovers and professionals can level out any safety vulnerabilities. This submit is closely borrowed from HackerOne to allow extra visibility and distribution of this system.
Pointers & Guidelines
To take part in Roblox’s safety bug bounty program, we request that you just abide by the next guidelines. When reporting vulnerabilities, please think about (1) how simply/realistically exploitable the bug is (what’s the assault situation?) and (2) what’s the safety impression of the bug to our customers and firm? If a bug just isn’t simply exploitable or doesn’t have a major safety impression to our platform and customers, we might not settle for it or we might lower the general severity and/or payout to how impactful it’s. This usually comes into play in variations in our in-scope property and the way impactful they could be to our general person dealing with merchandise and platform.
Roblox reserves the suitable to change the phrases of this coverage at any time. There are algorithm to abide by by way of dealing with knowledge, testing, response targets, disclosure coverage, and extra importantly the out of scope vulnerabilities (talked about beneath).
Bounty Rewards
Every severity class exhibits the 90 day common bounty paid.
Submission
You’ll be able to login and submit at HackerOne.
Guidelines on Dealing with Knowledge
- Your participation within the Roblox bug bounty program typically prohibits you from amassing, accessing, viewing, storing, altering or in any other case utilizing knowledge of Roblox customers.
- Whereas testing, take measures to keep away from accessing person knowledge or affecting different customers’ experiences. Please localize testing to your personal check accounts wherever potential. If non-public person knowledge is accessed throughout your safety testing, please notify us instantly.
- In case you have discovered a difficulty which will require touching different customers’ knowledge to confirm, please contact us first for steerage on tips on how to safely check for such points.
- In distinctive circumstances during which knowledge of Roblox customers is accessed and used for the safety testing please limit the information use to the extent that’s crucially essential to conduct correct safety testing. This significantly implies that you solely use person knowledge of only a few Roblox customers and that you just restrict the quantity of the precise person knowledge to the scope that’s vital for the precise testing measure.
- In case of accessing person knowledge for testing functions, please guarantee to take measures to forestall unauthorized entry, alteration or deletion of the person knowledge. It’s possible you’ll not use the person knowledge for any functions apart from collaborating within the Roblox bug bounty program and conducting the safety testing.
- It’s possible you’ll not use the person knowledge accessed throughout the safety testing to contact Roblox customers for any purpose; together with informing them concerning the safety testing.
- After finishing the testing, you could delete any person knowledge out of your programs irrevocably. We reserve the suitable to demand proof of correct deletion.
- It’s essential to chorus from sharing person knowledge with others or publish person knowledge.
- A violation of those knowledge safety obligations might result in exclusion from the bug bounty program. Within the occasion of infringement, Roblox reserves the suitable to reclaim already awarded bounties. Infringing knowledge safety legal guidelines, together with the European Common Knowledge Safety Regulation (GDPR), can lead to substantial fines and/or customers could also be entitled to damages.
Guidelines on Testing
- If you’re conscious that your assaults might hurt the reliability or integrity of our providers or knowledge, cease instantly and get in touch with us
- Vulnerabilities discovered by means of DDoS/spam assaults usually are not allowed
- By no means try non-technical assaults equivalent to social engineering (e.g. phishing, vishing, smishing) or bodily assaults in opposition to our workers, customers, or infrastructure
- Lately disclosed 0-day vulnerabilities usually are not eligible, except you could have a working poc exploit.
- Comply with HackerOne’s disclosure pointers
- When testing, please embrace the string “hackeronetest-
” on the finish of your person agent so we will extra simply establish visitors that’s coming from the bug bounty program. - For any report involving the Roblox Shopper or Roblox Studio, embrace the model
- In Studio, click on File > About Roblox Studio
- For shopper, the model is proven within the properties of the exe file, usually positioned at %APPDATA%..LocalRobloxVersions
RobloxPlayerBeta.exe. There are sometimes two folders, one for shopper, one for studio. - Report the approximate date/time/timezone of the newest check of the difficulty
- Please do NOT contact our buyer assist workforce or workers out of band to contest or escalate a report; all inquiries ought to occur on the report itself. Failure to comply with this rule might end in a bounty not being paid out and repeat offenses can result in elimination from the bug bounty program
Response Targets
Roblox will endeavor to satisfy the next SLAs for hackers collaborating in our program:
- Time to first response (from report submit): 3 enterprise days
- Time to triage (from report submit): 2-10 enterprise days
- Time to bounty (from triage): 20-40 enterprise days
- We’ll attempt to preserve you knowledgeable about our progress all through the method
Disclosure Coverage
Whereas we encourage you to find and report back to us any vulnerabilities you discover in a accountable method, the next conduct is expressly prohibited and can end in disqualification from the Bug Bounty Program and, if vital, referral of your conduct to legislation enforcement:
- Disclosing any vulnerabilities or suspected vulnerabilities you uncover to some other individual with out specific Roblox authorization
- Disclosing the contents of any submission to our program with out specific Roblox authorization
- Accessing non-public data of any individual saved on a Roblox services or products – It’s essential to use check accounts
- Sharing or publishing Roblox person knowledge
- Accessing delicate data (e.g. credentials)
- Performing actions which will negatively have an effect on Roblox or its customers (e.g. Spam, Brute power, Denial of Service)
- Conducting any type of bodily assault on Roblox personnel, property or knowledge facilities
- Social engineering any Roblox assist desk, worker or contractor
- Exfiltrating knowledge. Please check solely the minimal essential to validate a vulnerability (we will confirm if knowledge exfiltration can be potential from a vulnerability, and can reward with the impression in thoughts)
- Violating any legal guidelines or laws or breaching any agreements as a way to uncover vulnerabilities
Out-of-scope Vulnerabilities
When reporting vulnerabilities, please think about (1) how simply/realistically exploitable the bug is (what’s the assault situation?) and (2) what’s the safety impression of the bug? If a bug just isn’t simply exploitable or doesn’t have a major safety impression, it’s much less prone to qualify for a bounty or might have a decrease pay out. For instance, low impression vulnerabilities on our phrase press websites equivalent to weblog.roblox.com or related websites which might be in scope, could also be downrated in severity if the impression is missing.
The next vulnerabilities sometimes won’t qualify for Roblox’s program:
- Vulnerabilities beforehand disclosed by means of this system or in any other case recognized to Roblox or to the general public
- Person account hacks that require person interplay
- Chat filter bugs
- Lacking autocomplete attributes
- Lacking flags on cookies that don’t home any delicate data
- SSL/TLS scan stories (this implies output from websites equivalent to SSL Labs) and SSL/TLS model associated vulnerabilities
- Lacking security-related HTTP headers which don’t lead on to a vulnerability. Points that solely have an effect on a smaller person base (e.g. customers on outdated browsers or different outdated software program).
- Vulnerabilities which might be used for volumetric DDoS/DoS/Spam assaults are out of scope. However the vulnerabilities within the Roblox knowledge mannequin, which can be utilized by exploiters particularly for crashing the sport servers, is strongly inspired to be reported.
- Cross-site Request Forgery (CSRF) with minimal safety implications (Login/logout/unauthenticated)
- Model data disclosure (with out verifying the presence of an precise exploitable vulnerability)
- Password complexity associated vulnerabilities
- Unverified or incomplete “Scanner output” or scanner-generated stories
- Vulnerabilities requiring bodily entry to the sufferer’s unlocked machine
- Bugs requiring exceedingly unlikely person interplay
- Disclosure of knowledge already in public area or data beforehand disclosed by Roblox
- Disclosure of public data and knowledge that doesn’t current vital threat
- Vulnerabilities that Roblox determines to be an accepted threat won’t be eligible for a paid bounty
- Language utilized in emails and coverage paperwork
- SPF, DKIM or DMARC points on sub-domains of roblox.com
- HTML injection vulnerabilities with no direct threat
- Social engineering or following a hyperlink won’t be thought of for bounty
- Self XSS or related vulnerabilities
- Vulnerabilities discovered on *.ra.roblox.com that don’t have an effect on launch servers
- Vulnerabilities from beta / early entry that aren’t in a non-public HackerOne bounty program could also be out of scope, as much as the discretion of Roblox. Except in any other case said, being invited to provide suggestions to a beta function doesn’t assure you’ll be paid bounties for mentioned suggestions.
Hope that is helpful, thanks.
Supply: HackerOne
