Roblox is already the world’s largest gaming platform the place youngsters can think about, create and play interactive, immersive 3D gaming experiences. To supply the perfect buyer expertise and scale back safety points, Roblox has its personal bug bounty program that permits safety fans and consultants to level out safety vulnerabilities. This put up is closely borrowed from Hackerone to extend the visibility and distribution of this system.
Pointers and guidelines
To take part in Roblox’s Safety Bug Bounty Program, we suggest that you simply adhere to the next guidelines: When reporting vulnerabilities, (1) how simply/realistically a bug is exploited (what’s the assault state of affairs?) and (2) what’s the safety impression of the bug? If a bug isn’t simply exploited, or if it does not have a significant safety impression on the platform or customers, you can’t settle for it or scale back the general severity and the way a lot of a cost will have an effect on it. This typically works with variations in in-scope property and the way influential the merchandise and platforms going through your entire person.
Roblox reserves the appropriate to vary the phrases of this coverage at any time. There’s a algorithm concerning the dealing with of out-of-scope vulnerabilities (referred to under).
Bounty reward
Every severity class receives a median 90-day prize cash.
Submit
You’ll be able to log in and ship Hakkeron.
Guidelines for processing knowledge
- Participation within the Roblox Bug Bounty program typically prohibits using Roblox Person knowledge to gather, entry, view, retailer, modify, or in any other case use it.
- Throughout testing, take steps to keep away from accessing person knowledge or affecting different customers’ experiences. Localize your assessments to your personal check account each time attainable. Please notify us instantly if you wish to entry your personal person knowledge throughout safety testing.
- In the event you discover a problem which will require you to the touch different customers’ knowledge, please contact us for steerage first, on methods to safely check such points.
- Entry your Roblox person knowledge and restrict it to the perfect attainable extent to carry out acceptable safety testing within the distinctive circumstances used for safety testing. This particularly signifies that Roblox customers solely use little or no person knowledge and limits the quantity of particular person knowledge required for a selected check measurement to a variety.
- In the event you entry your person knowledge for testing functions, be sure to take steps to stop unauthorized entry, modification, or deletion of your person knowledge. Person knowledge is probably not used for any objective aside from collaborating within the Roblox Bug Bounty Program and conducting safety testing.
- For any motive, you can’t contact Roblox customers utilizing person knowledge accessed throughout safety testing. Consists of notifying them about safety assessments.
- As soon as the check is full, it is advisable to irreparably delete person knowledge from the system. We reserve the appropriate to request proof of acceptable deletion.
- You need to chorus from sharing your person knowledge with others or publish your person knowledge.
- Violation of those knowledge safety obligations might result in exclusion from the bug bounty program. Within the occasion of an infringement, Roblox reserves the appropriate to regain the bounty already awarded. Infringement of information safety legal guidelines, together with the European Normal Information Safety Regulation (GDPR), might lead to vital fines and the person being entitled to damages.
Testing guidelines
- If you realize that your assaults can hurt the reliability or integrity of our providers or knowledge, please cease instantly and get in touch with us.
- Vulnerabilities discovered by means of DDO/Spam assaults usually are not permitted
- Don’t try non-technical assaults corresponding to social engineering (phishing, bishing, smishing, and so on.) or bodily assaults on staff, customers, or infrastructure
- The lately disclosed 0-day vulnerabilities usually are not eligible except there’s a sensible POC exploit.
- Comply with Hackerone’s disclosure tips
- When testing, you need to use the string “hackeronetest-” on the finish of the person agent
Embody ” to make it simpler to establish visitors coming from bug bounty packages. - Embody variations in studies that embrace Roblox shopper or Roblox Studio
- In Studio, click on File > About Roblox Studio
- For purchasers, the model is often in %appData%. native roblox variations
It seems within the properties of the Exe file positioned in robloxplayerbeta.exe. Normally there are two folders. One is for purchasers and the opposite is for studios. - Report approximate date/time/timezone for the most recent check in query
- Don’t contact the client help group or worker from the band to contest or escalate the report. All inquiries should happen within the report itself. Failure to observe this rule will lead to no prize cash being paid and repeated violations might happen.
Response goal
Roblox will attempt to satisfy the next SLAs for hackers collaborating in our program:
- Time to first response (from report sending): 3 enterprise days
- Time till triage (from report sending): 2-10 enterprise days
- Time from prize cash (from triage): 20-40 enterprise days
- We’ll proceed to tell you of progress all through the method
Disclosure Coverage
Whereas we suggest discovering and reporting vulnerabilities you discover in a accountable manner, the next actions are expressly prohibited, leading to disqualification from the bug bounty program and, if essential, referrals to legislation enforcement.
- Disclose vulnerabilities found or suspected vulnerabilities to others with out specific roblox permission
- Disclose the content material of your submission to this system with out specific Roblox permission
- Entry to private data of individuals saved in Roblox services or products – you could use a check account
- Sharing or publishing Roblox person knowledge
- Accessing confidential data (e.g. Credentials)
- Carry out actions that might negatively have an effect on Roblox or its customers
- Implement any form of bodily assault on Roblox personnel, property, or knowledge facilities
- Social Engineering Roblox Assist Desk, Worker or Contractor
- Elimination knowledge. Check solely the minimal required to validate your vulnerability (you may see if knowledge might be faraway from the vulnerability, and reward it with the impression in thoughts)
- Violate legal guidelines or laws or contracts to find vulnerabilities
Out-of-scope vulnerability
When reporting vulnerabilities, (1) how simply/realistically a bug is exploited (what’s the assault state of affairs?) and (2) what’s the safety impression of the bug? If the bug isn’t simply exploited or if there is no such thing as a vital safety impression, you’re much less prone to qualify for a prize and are much less prone to pay. For instance, a low-impact vulnerability on phrase press websites corresponding to weblog.roblox.com and related websites inside the scope could also be downgraded by severity if the impression is missing.
The next vulnerabilities are typically not eligible for the Roblox program:
- Vulnerabilities beforehand disclosed by means of this system or in any other case recognized to Roblox or to the general public
- Person Account Hacks that require person interplay
- Chat filter bug
- Lacking AutoComplete attribute
- Flags lacking in cookies that don’t comprise delicate data
- SSL/TLS scan studies (which implies output from websites corresponding to SSL labs) and SSL/TLS version-related vulnerabilities
- There isn’t a security-related HTTP header that doesn’t straight result in vulnerabilities. Points that have an effect on solely small person bases (corresponding to customers of outdated browsers and different outdated software program).
- Vulnerabilities used for volumetric DDOS/DOS/spam assaults are out of scope. Nonetheless, we strongly suggest reporting vulnerabilities within the Roblox knowledge mannequin that can be utilized by exploiters, notably in sport server crashes.
- Cross-site Request Forfary (CSRF) with minimal safety impression (login/logout/authentication)
- Disclosure of model data (with out checking for the existence of precise exploitable vulnerabilities)
- Vulnerabilities associated to password complexity
- Unverified or incomplete “scanner output” or scanner technology studies
- Vulnerability requiring bodily entry to sufferer’s unlocked gadgets
- Person interplay is extremely unlikely bug
- Disclosure of data already disclosed within the public area or beforehand disclosed by Roblox
- Disclosure of public data and data that doesn’t current any materials dangers
- Vulnerabilities that Roblox considers to be an accepted threat usually are not eligible for paid prizes
- Language utilized in e-mail and coverage paperwork
- SPF, DKIM, or DMARC points with roblox.com subdomains
- Direct risk-free HTML injection vulnerability
- Social engineering or following hyperlinks won’t be thought-about for the bounty
- Self-XSS or related vulnerabilities
- Doesn’t have an effect on launch servers *Vulnerabilities discovered on .ra.roblox.com
- Vulnerabilities from beta/early entry not included within the Personal Hackelon Prize Program could also be outdoors the scope of Roblox’s discretion. Except in any other case said, invites to offer suggestions to the beta characteristic don’t assure {that a} cost prize might be paid for such suggestions.
I hope that is helpful, thanks.
sauce: Hakkeron
