By submitting reports to our program, you agree that you’ve read, understood, and will follow our Program Rules and overall Program Policy.

Program Rules

1. Be careful with sensitive information. If sensitive information such as personal information or user credentials are uncovered as part of your research, stop and report it to us immediately. Do not save, store, copy, move, or otherwise retain sensitive information, and work with us on any additional requests we may have.
2. Test responsibly. Only interact with and test bugs against accounts you own. We do not allow testing against user accounts not owned by the Security Researcher. Reach out to us if you need help with testing cross-account issues.
3. Do not cause harm. Do not engage in activities that disrupt, damage, or otherwise cause harm to or defraud Robinhood, our users, our employees, our data or our users’ data, or our brand—including, without limitation, denial of service attacks, social engineering, phishing, spam, social media scams, fraudulent transactions, data exfiltration or tampering, or physical attacks.

Violation of any of our Program Rules may result in (but is not limited to) consequences such as ineligibility for a bounty, permanent disqualification and removal from the Robinhood Bug Bounty Program, or voiding the protections of the Intigriti Safe Harbor.

Service Level Agreements (SLAs)

Robinhood will make a best effort to meet the following SLAs for hackers participating in our program:

Special Considerations

Due to the nature of our business, we ask that you also follow these guidelines:

• Do not perform resource intensive tests which could result in disruption or downtime for our services (updated 12/08/2023).
• Do not make financial transactions with other user accounts.

Welcome to the Robinhood Bug Bounty Program! We’re excited to work more closely with you on discovering bugs in Robinhood. If you have any questions on our program, please email bugbounty@robinhood.com or find us on Bug Bounty Forum. Thank you for helping keep Robinhood and our users safe!

We consider most informative-type issues to be out of scope, like SPF issues. If most other bug bounty programs exclude it, we likely would too. To keep it brief, we’ll only enumerate the most important issues to avoid testing or reporting.

• Physical attacks against Robinhood employees, offices, or data centers
• Social engineering attacks against Robinhood employees or users, including phishing
• Vulnerabilities in third-party integrations with the Robinhood API
• Vulnerabilities that require physical access, rooted / jailbroken devices, or debug access to a user’s device
• Denial of service without prior authorization
• Subdomain takeover without taking over the subdomain

If you have any questions about the rules or scope of the Robinhood Bug Bounty Program, please reach out to us at bugbounty@robinhood.com or on Bug Bounty Forum.

Robinhood uses a sliding CVSSv3-based system for determining bounty amounts, with a formula built into Intigriti. We’ll work with you to find an accurate CVSS score for your report, but we have the final say in any determinations.

We may offer up to $50,000 for exceptional reports that demonstrate exceptional criticality in our focus areas. Presently, this applies to remote code execution in core services, as well as significant accounting manipulations which would cause non-trivial financial losses to Robinhood.

VIP Program

Robinhood also maintains a VIP Bug Bounty Program, which allows access to pre-release features in advance of their launch before the general public. Researchers who participate in our program may be invited to join the VIP Program based on the quality and consistency of their reports, with at least 3-5 reports submitted over time.

Zero-Day Issues

Robinhood accepts zero-day issues in third party software that can be directly used to compromise the confidentiality or integrity of our products. Zero-day issues may be submitted to our program at any time; however, we will only accept reports that permit us to disclose the issue to the relevant vendors. We cannot authorize testing against any third parties or our vendors.

Eligibility to Participate

To be eligible to participate in any Robinhood Bug Bounty Program, you must:

• Be at least 18 years of age and meet Robinhood account requirements if you test using a Robinhood account
• Not be employed by Robinhood as an employee, contingent worker, or contractor (including individuals who separated from Robinhood within the prior 12 months) or be an immediate family member of a current or former Robinhood employee, contingent worker, or contractor
• Not be a resident of or an individual located within a country appearing on any U.S. sanctions lists, as administered by the Office of Foreign Assets Control (OFAC)
• Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to the Bug Bounty Program

Rewards

Our program calculates bounties for reports based on a sliding CVSSv3 scale, calculated by Intigriti; the higher the issue’s score, the higher your bounty will be. We’ll use lower environmental scores for assets that are less important to Robinhood. We encourage rating your issues with CVSS before submission, but know that we may have to make adjustments in the event the score isn’t representative of the true impact. Final determination of the eligibility and severity of the issue will be made by and at the sole discretion of the Robinhood Security Team.

Eligibility is limited to domains and properties owned and operated by Robinhood and its acquisitions. Software components used within Robinhood are eligible and may be exploited in your vulnerability testing. Note that bugs in third-party components only qualify if we determine that they can be used to successfully exploit Robinhood.

All investments involve risk and loss of principal is possible.

Robinhood Financial LLC (member SIPC), is a registered broker dealer. Robinhood Securities, LLC (member SIPC), is a registered broker dealer and provides brokerage clearing services. Cryptocurrency services are offered through Robinhood Crypto, LLC. The Robinhood Money spending account is offered through Robinhood Money, LLC, a licensed money transmitter. All are subsidiaries of Robinhood Markets, Inc. (‘Robinhood’).

© 2024 Robinhood Markets, Inc.