Roblox’s Bug Bounty Plan – Unicminds

Roblox is already the world’s largest gaming platform, and kids can imagine, create and play interactive and immersive 3D gaming experiences. In its efforts to provide the best customer experience and to reduce security issues, Roblox has its own vulnerability bounty program where security enthusiasts and professionals can point out any security vulnerabilities. This article is borrowed heavily from hackers to make the program more visibility and distribution.

Guidelines and rules

In order to participate in Roblox’s security error bounty program, we require you to comply with the following rules. When reporting vulnerabilities, consider (1) how easy it is/actually exploiting the error (what is the attack plan?) and (2) what security impact does the error have on our users and companies? If the error is not easy to exploit or has no significant security impact on our platform and users, we may not accept it, or we may reduce the overall severity and/or the impact of payments on its impact. This often differs in our enterprise assets and how much they may affect the overall users of the products and platforms we face.

Roblox reserves the right to amend the terms of this policy at any time. There is a set of rules to follow when it comes to processing data, testing, responding to goals, disclosure policies and, more importantly, scope vulnerabilities (below).

Bounty Reward

Each severity category shows an average bounty of 90 days.

submit

You can log in and submit on Hackerone.

Rules for processing data

• Your participation in the Roblox Bug Bounty program usually prohibits you from using Roblox users to collect, access, view, store, change, or otherwise collect data.
• When testing, take measures to avoid accessing user data or affecting other users’ experience. Please localize the tests to your own test account if possible. If private user data is accessed during your security testing, please notify us immediately.
• If you find questions that may need to touch other user data verification, please contact us first for guidance on how to safely test such issues.
• In special cases where Roblox user data is accessed and used for security testing, limit data usage within the scope of the critical importance of performing appropriate security testing. This especially means that you only use user data from a few Roblox users and limit the amount of specific user data to the extent required by a specific test measure.
• If you access user data for testing purposes, make sure to take steps to prevent unauthorized access, alteration or deletion of user data. You may not use user data for any purpose other than taking part in the Roblox Bug Bounty program and performing security testing.
• For any reason, you may not contact Roblox users using user data accessed during security testing; including notifying them about security testing.
• After completing the test, you must irrevocably delete any user data from the system. We reserve proof of requiring correct deletion.
• You must avoid sharing or publishing user data with others.
• Violations of these data protection obligations may result in the exclusion of the vulnerability bounty program. In the event of infringement, Roblox reserves the right to receive a bounty that has been rewarded. Infringement of data protection laws, including the European General Data Protection Regulation (GDPR), may result in substantial fines and/or the user’s right to cause damages.

Test rules

• If you know that your attack may impair the reliability or integrity of our Services or Data, please stop immediately and contact us
• Vulnerabilities discovered through DDOS/spam attacks are not allowed
• Never try non-technical attacks on social engineering (such as phishing, phishing, smishing) of our employees, users or infrastructure
• The recently disclosed 0-day vulnerability is unqualified unless you have a working POC exploit.
• Follow Hackerone’s disclosure guidelines
• When testing, please include the string “hackeronetest–At the end of your user agent, we can more easily determine the traffic from the Bug Bounty program.
• For any reports involving Roblox customers or Roblox Studio, including versions
• In the studio, click File > About Roblox Studio
• For clients, this version is displayed in the properties of the EXE file, usually located in %appdata%..localrobloxversions. robloxplayerbeta.exe. There are usually two folders, one for clients and one for studios.
• Report the approximate date/time/time zone of the latest test
• Please do not contact the customer support team or employees in the band to compete or upgrade the report; all queries should be made on the report itself. Failure to comply with this rule may result in bounty not being paid, while repeated crimes may result in evacuation from the loophole bounty program

Respond to the target

Roblox will work hard to meet the following SLAs for hackers involved in our program:

• First time of reply (from report submission): 3 working days
• Classification time (report submission): 2-10 working days
• Bounty time (diagonal): 20-40 working days
• We will do our best to keep you informed about our progress throughout the process

Disclosure Policy

Although we encourage you to discover and report any vulnerabilities to us in a responsible manner, the following behavior is explicitly prohibited and will result in disqualification of the vulnerability bounty program and refer your behavior to law enforcement if necessary:

• Disclose any vulnerabilities or suspicious vulnerabilities you have discovered without explicit Roblox authorization
• Disclose content of any content submitted to our program without explicit Roblox authorization
• Access to the private information of anyone stored on Roblox products or services – You must use a test account
• Share or publish Roblox user data
• Access sensitive information (such as credentials)
• Perform actions that may negatively affect Roblox or its users (e.g. spam, brute force, denial of service)
• Perform any form of physical attack on Roblox personnel, property or data centers
• Social Engineering Any Roblox Help Desk, Employee or Contractor
• Delete data. Please only test the minimum required to verify the vulnerability (we can verify that the data can leak out of the vulnerability and keep in mind the impact)
• Violation of any law or regulation or breach of any agreement to discover a loophole

Vulnerabilities in scope

When reporting a vulnerability, consider (1) how easy it is/actually exploiting the error (what is the attack plan?) and (2) what is the security impact of the error? If the error is not easy to exploit or has no significant security impact, then there is less chance that the bounty will be eligible or the salary will be lower. For example, if there is a lack of impact, it may be severely reduced in vulnerabilities in word vulnerabilities such as our word news websites (such as blog.roblox.com or similar).

The following vulnerabilities usually do not have Roblox’s plan:

• Vulnerabilities previously disclosed through the program or known to Roblox or the public
• User account hacker that requires user interaction
• Chat filter error
• Autocomplete attribute is missing
• Lack of flags on cookies that do not accommodate any sensitive information
• SSL/TLS scan report (which means output from sites like SSL Labs) and SSL/TLS version related vulnerabilities
• The lack of security-related HTTP headers will not directly lead to vulnerabilities. Issues that only affect smaller user bases (such as users’ outdated browsers or other outdated software).
• The vulnerability for volume DDOS/DOS/spam attacks is out of scope. However, it is highly recommended that a vulnerability in the Roblox data model be used specifically to hit game servers, which can be used to crash.
• Cross-site forgery (CSRF) has minimal security implications (login/logout/unauthenticated)
• Version information disclosure (does not verify the existence of actual exploitable vulnerabilities)
• Password complexity vulnerabilities related to passwords
• Unverified or incomplete “scanner output” or scanner generated reports
• Vulnerability that requires physical access to victims to unlock devices
• Errors requiring extremely unlikely user interaction
• Disclosure of information in the public domain or in previously disclosed information by Roblox
• Disclose public information and information without significant risks
• Roblox determines vulnerability as recognized risk will not qualify for paid bounty
• Languages ​​used in emails and policy documents
• SPF, DKIM, or DMARC issues on subdomains of Roblox.com
• HTML injection vulnerability without direct risk
• Social engineering or follow the link will not be considered for bounty
• From XSS or similar vulnerabilities
• Vulnerabilities found on *.ra.roblox.com do not affect publishing server
• Vulnerabilities in beta/early access that are not in the private hacker bounty program may be out of scope until Roblox’s discretion. Unless otherwise stated, being invited to provide feedback on the Beta feature does not guarantee that you will receive a bounty for the feedback mentioned above.

Hope this works, thanks.

Source: Hackerone

You might want to read: Rock Scissors Game in Python, Programs & Processes & Threads and AI Tutors & Human Tutors