Roblox – Unicminds Bogue Bonus Program

Roblox is already the largest game platform in the world where children can imagine, create and play in an interactive and immersive 3D game experience. To endeavor to provide the best customer experience and to reduce security problems, Roblox has its own bug bonus program where security enthusiasts and professionals can highlight all security vulnerabilities. This message is strongly borrowed from Hackerone to allow more visibility and distribution of the program.

Guidelines and rules

To participate in the Roblox safety bug bonus program, we ask you to respect the following rules. When you point out vulnerabilities, please consider (1) how easily / realistic the bug is, what is the attack scenario?) And (2) What is the safety impact of the Bogue for our users and our company? If a bug is not easily exploitable or does not have a significant security impact on our platform and our users, we cannot accept it or we can reduce the overall gravity and / or the payment to its impact. This often comes into play in the differences in our assets in the Scope and their impact for our products and global platform for our products and our platform.

Roblox reserves the right to modify the terms of this policy at any time. There are a set of rules to be observed in terms of data management, tests, response targets, disclosure policy and, more importantly, vulnerabilities out of reach (mentioned below).

Bonus awards

Each severity course shows the average 90 -day premium paid.

Submission

You can connect and submit to Hack.

Data management rules

• Your participation in the Roblox BUG BOUNTY program generally prohibits you from collecting, accessing, viewing, storing, modifying or using Roblox user data.
• During the tests, take measures to avoid accessing user data or affecting the experiences of other users. Please locate tests on your own test accounts as much as possible. If private user data is accessible during your security tests, please inform us immediately.
• If you have found a problem that may require touching data from other users to check, please contact us first to get advice on how to test these problems safely.
• In exceptional cases in which Roblox user data is accessible and used for safety tests, please restrict the use of data to the extent that is crucial to carrying out appropriate security tests. This means in particular that you only use very few Roblox users user data and that you limit the amount of user data specific to the range which is necessary for the specific test measurement.
• In the event of access to user data for test purposes, please make sure to take measures to prevent unauthorized access, alteration or deletion of user data. You cannot use user data for purposes other than participation in the Boug Bounty Roblox program and carrying out security tests.
• You cannot use user data accessible during security tests to contact Roblox users for any reason; including informing them of security tests.
• After completing the tests, you must irrevocably delete all the user data from your systems. We reserve the right to require proof of the appropriate deletion.
• You must refrain from sharing user data with others or publishing user data.
• A violation of these data protection obligations can result in the exclusion of the Bug Bounty program. In the event of counterfeiting, Roblox reserves the right to recover premiums already assigned. The violation of data protection laws, including European data protection regulations (GDPR), can lead to fines and / or substantial users may be entitled to damage.

Tests on tests

• If you know that your attacks can affect the reliability or integrity of our services or data, stop immediately and contact us
• Vulnerabilities found by DDOS / SPAM attacks are not allowed
• Never try non -technical attacks such as social engineering (for example, phishing, the screw
• Recently disclosed vulnerabilities of 0 days are not eligible, unless you have a functional POC feat.
• Follow Hackerone disclosure directives
• During tests, please include the chain “Hackeronet-“At the end of your user agent so that we can more easily identify traffic from the Bugy Bounty program.
• For any report involving the Roblox or Roblox Studio client, include the version
• In studio, click File> About Roblox Studio
• For the customer, the version is displayed in the properties of the EXE file, normally located at% appdata% .. \ Local \ Roblox \ versions\ Robloxplayerbeta.exe. There are generally two files, one for the customer, one for the studio.
• Report the approximate date / time / time time of the most recent test of the problem
• Please do not contact our customer support team or our employees outside the group to contest or degenerate a report; All surveys should occur on the report itself. Failure to comply with this rule can lead to a non-being paid premium and repeated offenses can result in the withdrawal of the bonus bonus program

Response targets

Roblox will endeavor to meet the following SLAs for pirates participating in our program:

• First response time (of the submitting report): 3 working days
• Sorting time (from the submitting report): 2-10 working days
• Bounty time (sorting): 20-40 working days
• We will try to keep you informed of our progress throughout the process

Disclosure policy

Although we encourage you to discover and signal all the vulnerabilities that you find responsible for the following is expressly prohibited and will result in a disqualification of the Bogue bonus program and, if necessary, the reference of your conduct to the police:

• Disclose any vulnerability or suspected vulnerabilities that you discover to any other person without authorization Roblox Explicit
• Disclosing the content of any submission to our program without authorization Roblox Explicit
• Access private information from any person stored on a Roblox product or service – you must use test accounts
• Roblox sharing or publication of user data
• Access sensitive information (for example, identification information)
• Perform actions that can negatively affect Roblox or its users (for example, spam, brute force, denial of service)
• Conduct any type of physical attack on Roblox staff, property or data centers
• Social engineering any Roblox assistance service, employee or entrepreneur
• Data exfiltration. Please only test the minimum necessary to validate a vulnerability (we can check whether data exfiltration would be possible from a vulnerability and will reward with the impact in mind)
• Violate any laws or regulations or violate agreements in order to discover vulnerabilities

Vulnerabilities outside the score

When you point out vulnerabilities, please consider (1) how easily / realistic the bug is, what is the attack scenario?) And (2) What is the safety impact of the Bogue? If a bug is not easily exploitable or does not have a significant security impact, it is less likely to qualify for a bonus or can have a lower salary. For example, low impact vulnerabilities on our word press sites such as blog.roblox.com or similar sites that are in the range, can be lowered if the impact is lacking.

The following vulnerabilities will generally not be eligible for the Roblox program:

• Vulnerabilities previously disclosed by the program or otherwise known to Roblox or the public
• User account hacks that require user interaction
• Cat filter bugs
• Attributes of missing semi-automatic entry
• Missing flags on cookies that do not house any sensitive information
• SSL / TLS scan reports (this means the release of sites such as SSL Labs) and vulnerabilities linked to the SSL / TLS version
• HTTP headers linked to missing security that do not directly lead to vulnerability. Problems that only affect a smaller user base (for example, users on obsolete browsers or other obsolete software).
• The vulnerabilities used for DDOS / DOS / SPAM volumetric attacks are out of reach. But the vulnerabilities of the Roblox data model, which can be used by exploiters specifically to crush the game servers, is strongly encouraged to be reported.
• Transversal site request counterfeiting (CSRF) with minimum security implications (connection / disconnection / non -authenticated)
• Disclosure of version information (without verifying the presence of real usable vulnerability)
• Vulnerabilities linked to the complexity of the password
• Not verified or incomplete reports of “scanner outlet” or generated by the scanner
• Vulnerabilities requiring physical access to the victim unlocked device
• Bugs requiring extremely improbable user interaction
• Disclosure of information already in the public domain or information previously disclosed by Roblox
• Disclosure of public information and information that does not present a significant risk
• The vulnerabilities that Roblox determines being an accepted risk will not be eligible for a paid premium
• Language used in emails and policy documents
• SPF, DKIM or DMARC problems on the subdomains of Roblox.com
• HTML injection vulnerabilities without direct risk
• Social engineering or monitoring of a link will not be envisaged for the premium
• Self xss or similar vulnerabilities
• Vulnerabilities found on * .ra.roblox.com which do not affect liberation servers
• The vulnerabilities of beta / early access which are not included in a private bounty hackerone program can be out of reach, until the discretion of Roblox. Unless otherwise indicated, being invited to give comments to a beta functionality does not guarantee that you will receive bonuses for said comments.

I hope it's useful, thank you.

Source: Hack

You may like to read: Rock Paper Scissors Game in Python,, Program vs Process vs thread& Tutors have against human tutors