Robinhood Bug Bounty Program - Bug Bounty Program

Description

Democratizing America’s financial system. Invest in stocks, ETFs, options, and cryptocurrencies commission-free. Disclosure: https://robinhood.com/legal

Bounties

Tier 1

min. $

max. $

100

500

5,000

10,000

25,000

50,000

Tier 1

$100 - $50,000

Tier 2

min. $

max. $

100

500

5,000

10,000

25,000

50,000

Tier 2

$100 - $50,000

Rules of engagement

@intigriti.me

Required

User agent

Not applicable

Automated tooling

Not applicable

Request header

Not applicable

By submitting reports to our program, you agree that you’ve read, understood, and will follow our Program Rules and overall Program Policy.

Program Rules

Be careful with sensitive information. If sensitive information such as personal information or user credentials are uncovered as part of your research, stop and report it to us immediately. Do not save, store, copy, move, or otherwise retain sensitive information, and work with us on any additional requests we may have.
Test responsibly. Only interact with and test bugs against accounts you own. We do not allow testing against user accounts not owned by the Security Researcher. Reach out to us if you need help with testing cross-account issues.
Do not cause harm. Do not engage in activities that disrupt, damage, or otherwise cause harm to or defraud Robinhood, our users, our employees, our data or our users’ data, or our brand—including, without limitation, denial of service attacks, social engineering, phishing, spam, social media scams, fraudulent transactions, data exfiltration or tampering, or physical attacks.

Violation of any of our Program Rules may result in (but is not limited to) consequences such as ineligibility for a bounty, permanent disqualification and removal from the Robinhood Bug Bounty Program, or voiding the protections of the Intigriti Safe Harbor.

Service Level Agreements (SLAs)

Robinhood will make a best effort to meet the following SLAs for hackers participating in our program:

Type of Response	SLA in business days
First response	1 day
Time to triage	5 days
Time to bounty	1 day after triage

Special Considerations

Due to the nature of our business, we ask that you also follow these guidelines:

Do not perform resource intensive tests which could result in disruption or downtime for our services (updated 12/08/2023).
Do not make financial transactions with other user accounts.

Safe harbour for researchers is applied

Assets

*.rhinternal.net

Tier 1

Wildcard

*.robinhood.com

Tier 1

Wildcard

*.robinhood.net

Tier 1

Wildcard

robinhood.net contains internal Robinhood services. You shouldn’t be able to log into anything here.

1634080733

Tier 1

iOS

6462308655

Tier 1

iOS

938003185

Tier 1

iOS

com.robinhood.android

Tier 1

Android

com.robinhood.gateway

Tier 1

Android

com.robinhood.money

Tier 1

Android

shop.robinhood.com

Out of scope

URL

Report findings to Brilliant Made (https://www.brilliantmade.com/)

In scope

Welcome to the Robinhood Bug Bounty Program! We’re excited to work more closely with you on discovering bugs in Robinhood. If you have any questions on our program, please email bugbounty@robinhood.com or find us on Bug Bounty Forum. Thank you for helping keep Robinhood and our users safe!

Out of scope

We consider most informative-type issues to be out of scope, like SPF issues. If most other bug bounty programs exclude it, we likely would too. To keep it brief, we’ll only enumerate the most important issues to avoid testing or reporting.

Physical attacks against Robinhood employees, offices, or data centers
Social engineering attacks against Robinhood employees or users, including phishing
Vulnerabilities in third-party integrations with the Robinhood API
Vulnerabilities that require physical access, rooted / jailbroken devices, or debug access to a user’s device
Denial of service without prior authorization
Subdomain takeover without taking over the subdomain

If you have any questions about the rules or scope of the Robinhood Bug Bounty Program, please reach out to us at bugbounty@robinhood.com or on Bug Bounty Forum.

Severity assessment

Robinhood uses a sliding CVSSv3-based system for determining bounty amounts, with a formula built into Intigriti. We’ll work with you to find an accurate CVSS score for your report, but we have the final say in any determinations.

We may offer up to $50,000 for exceptional reports that demonstrate exceptional criticality in our focus areas. Presently, this applies to remote code execution in core services, as well as significant accounting manipulations which would cause non-trivial financial losses to Robinhood.

FAQ

VIP Program

Robinhood also maintains a VIP Bug Bounty Program, which allows access to pre-release features in advance of their launch before the general public. Researchers who participate in our program may be invited to join the VIP Program based on the quality and consistency of their reports, with at least 3-5 reports submitted over time.

Zero-Day Issues

Robinhood accepts zero-day issues in third party software that can be directly used to compromise the confidentiality or integrity of our products. Zero-day issues may be submitted to our program at any time; however, we will only accept reports that permit us to disclose the issue to the relevant vendors. We cannot authorize testing against any third parties or our vendors.

Eligibility to Participate

To be eligible to participate in any Robinhood Bug Bounty Program, you must:

Be at least 18 years of age and meet Robinhood account requirements if you test using a Robinhood account
Not be employed by Robinhood as an employee, contingent worker, or contractor (including individuals who separated from Robinhood within the prior 12 months) or be an immediate family member of a current or former Robinhood employee, contingent worker, or contractor
Not be a resident of or an individual located within a country appearing on any U.S. sanctions lists, as administered by the Office of Foreign Assets Control (OFAC)
Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to the Bug Bounty Program

Rewards

Our program calculates bounties for reports based on a sliding CVSSv3 scale, calculated by Intigriti; the higher the issue’s score, the higher your bounty will be. We’ll use lower environmental scores for assets that are less important to Robinhood. We encourage rating your issues with CVSS before submission, but know that we may have to make adjustments in the event the score isn’t representative of the true impact. Final determination of the eligibility and severity of the issue will be made by and at the sole discretion of the Robinhood Security Team.

Eligibility is limited to domains and properties owned and operated by Robinhood and its acquisitions. Software components used within Robinhood are eligible and may be exploited in your vulnerability testing. Note that bugs in third-party components only qualify if we determine that they can be used to successfully exploit Robinhood.

All investments involve risk and loss of principal is possible.

Robinhood Financial LLC (member SIPC), is a registered broker dealer. Robinhood Securities, LLC (member SIPC), is a registered broker dealer and provides brokerage clearing services. Cryptocurrency services are offered through Robinhood Crypto, LLC. The Robinhood Money spending account is offered through Robinhood Money, LLC, a licensed money transmitter. All are subsidiaries of Robinhood Markets, Inc. (‘Robinhood’).

All aboard!

Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Researchers

last contributors