Robinhood Markets Inc./Robinhood Bug Bounty Program/Detail
Detail Leaderboard
Description

Democratizing America’s financial system. Invest in stocks, ETFs, options, and cryptocurrencies commission-free. Disclosure: https://robinhood.com/legal

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 1
min. $
max. $
100
500
500
5,000
5,000
10,000
10,000
25,000
25,000
50,000
Tier 1
$100 - $50,000
Tier 2
min. $
max. $
100
500
500
5,000
5,000
10,000
10,000
25,000
25,000
50,000
Tier 2
$100 - $50,000
Rules of engagement
Required
Not applicable
Not applicable
Not applicable

By submitting reports to our program, you agree that you’ve read, understood, and will follow our Program Rules and overall Program Policy.

Program Rules

  1. Be careful with sensitive information. If sensitive information such as personal information or user credentials are uncovered as part of your research, stop and report it to us immediately. Do not save, store, copy, move, or otherwise retain sensitive information, and work with us on any additional requests we may have.
  2. Test responsibly. Only interact with and test bugs against accounts you own. We do not allow testing against user accounts not owned by the Security Researcher. Reach out to us if you need help with testing cross-account issues.
  3. Do not cause harm. Do not engage in activities that disrupt, damage, or otherwise cause harm to or defraud Robinhood, our users, our employees, our data or our users’ data, or our brand—including, without limitation, denial of service attacks, social engineering, phishing, spam, social media scams, fraudulent transactions, data exfiltration or tampering, or physical attacks.

Violation of any of our Program Rules may result in (but is not limited to) consequences such as ineligibility for a bounty, permanent disqualification and removal from the Robinhood Bug Bounty Program, or voiding the protections of the Intigriti Safe Harbor.

Service Level Agreements (SLAs)

Robinhood will make a best effort to meet the following SLAs for hackers participating in our program:

Type of Response SLA in business days
First response 1 day
Time to triage 5 days
Time to bounty 1 day after triage

Special Considerations

Due to the nature of our business, we ask that you also follow these guidelines:

  • Do not perform resource intensive tests which could result in disruption or downtime for our services (updated 12/08/2023).
  • Do not make financial transactions with other user accounts.
Assets
tier
All
type
All

*.rhinternal.net

Tier 1
Wildcard

*.robinhood.com

Tier 1
Wildcard

*.robinhood.net

Tier 1
Wildcard

robinhood.net contains internal Robinhood services. You shouldn’t be able to log into anything here.

1634080733
Tier 1
iOS
6462308655
Tier 1
iOS
938003185
Tier 1
iOS
com.robinhood.android
Tier 1
Android
com.robinhood.gateway
Tier 1
Android
com.robinhood.money
Tier 1
Android
shop.robinhood.com
Out of scope
URL

Report findings to Brilliant Made (https://www.brilliantmade.com/)

In scope

Welcome to the Robinhood Bug Bounty Program! We’re excited to work more closely with you on discovering bugs in Robinhood. If you have any questions on our program, please email bugbounty@robinhood.com or find us on Bug Bounty Forum. Thank you for helping keep Robinhood and our users safe!

Out of scope

We consider most informative-type issues to be out of scope, like SPF issues. If most other bug bounty programs exclude it, we likely would too. To keep it brief, we’ll only enumerate the most important issues to avoid testing or reporting.

  • Physical attacks against Robinhood employees, offices, or data centers
  • Social engineering attacks against Robinhood employees or users, including phishing
  • Vulnerabilities in third-party integrations with the Robinhood API
  • Vulnerabilities that require physical access, rooted / jailbroken devices, or debug access to a user’s device
  • Denial of service without prior authorization
  • Subdomain takeover without taking over the subdomain

If you have any questions about the rules or scope of the Robinhood Bug Bounty Program, please reach out to us at bugbounty@robinhood.com or on Bug Bounty Forum.

Severity assessment

Robinhood uses a sliding CVSSv3-based system for determining bounty amounts, with a formula built into Intigriti. We’ll work with you to find an accurate CVSS score for your report, but we have the final say in any determinations.

We may offer up to $50,000 for exceptional reports that demonstrate exceptional criticality in our focus areas. Presently, this applies to remote code execution in core services, as well as significant accounting manipulations which would cause non-trivial financial losses to Robinhood.

FAQ

VIP Program

Robinhood also maintains a VIP Bug Bounty Program, which allows access to pre-release features in advance of their launch before the general public. Researchers who participate in our program may be invited to join the VIP Program based on the quality and consistency of their reports, with at least 3-5 reports submitted over time.

Zero-Day Issues

Robinhood accepts zero-day issues in third party software that can be directly used to compromise the confidentiality or integrity of our products. Zero-day issues may be submitted to our program at any time; however, we will only accept reports that permit us to disclose the issue to the relevant vendors. We cannot authorize testing against any third parties or our vendors.

Eligibility to Participate

To be eligible to participate in any Robinhood Bug Bounty Program, you must:

  • Be at least 18 years of age and meet Robinhood account requirements if you test using a Robinhood account
  • Not be employed by Robinhood as an employee, contingent worker, or contractor (including individuals who separated from Robinhood within the prior 12 months) or be an immediate family member of a current or former Robinhood employee, contingent worker, or contractor
  • Not be a resident of or an individual located within a country appearing on any U.S. sanctions lists, as administered by the Office of Foreign Assets Control (OFAC)
  • Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to the Bug Bounty Program

Rewards

Our program calculates bounties for reports based on a sliding CVSSv3 scale, calculated by Intigriti; the higher the issue’s score, the higher your bounty will be. We’ll use lower environmental scores for assets that are less important to Robinhood. We encourage rating your issues with CVSS before submission, but know that we may have to make adjustments in the event the score isn’t representative of the true impact. Final determination of the eligibility and severity of the issue will be made by and at the sole discretion of the Robinhood Security Team.

Eligibility is limited to domains and properties owned and operated by Robinhood and its acquisitions. Software components used within Robinhood are eligible and may be exploited in your vulnerability testing. Note that bugs in third-party components only qualify if we determine that they can be used to successfully exploit Robinhood.

All investments involve risk and loss of principal is possible.

Robinhood Financial LLC (member SIPC), is a registered broker dealer. Robinhood Securities, LLC (member SIPC), is a registered broker dealer and provides brokerage clearing services. Cryptocurrency services are offered through Robinhood Crypto, LLC. The Robinhood Money spending account is offered through Robinhood Money, LLC, a licensed money transmitter. All are subsidiaries of Robinhood Markets, Inc. (‘Robinhood’).

© 2024 Robinhood Markets, Inc.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Researchers
last contributors
logo
 harshilsecops
logo
 laccart
logo
 0xdln
logo
 m0chan
logo
 ltidi
logo
 muhsinms01
leaderboard
logo
 theokeen
logo
 mr_zheev1337
logo
 topenga
logo
 ch0p1n
logo
 seandai
logo
 403_forbidd3n
Overall stats
submissions received
485
average payout
$1,700
accepted submissions
46
total payouts
$76,469
Last 90 day response times
avg. time first response
< 2 days
avg. time to decide
< 3 weeks
avg. time to triage
< 2 days
Activity
7/5
logo
bugooos
created a submission
7/4
Robinhood Markets Inc.
closed a submission
7/4
logo
bugooos
created a submission
7/4
logo
tako
created a submission
7/2
Robinhood Markets Inc.
closed a submission
7/1
Robinhood Markets Inc.
closed a submission
7/1
Robinhood Markets Inc.
closed a submission
7/1
Robinhood Markets Inc.
accepted a submission
7/1
logo
jyr
created a submission
6/30
Robinhood Markets Inc.
closed a submission