iRobot
External Program
Submit bugs directly to this organization
Last Updated :12 Nov 2025 14:34:49 GMT+0[/engagements/irobot/changelog/95b563b0-74ef-4336-b844-625172a41fed](View changes)
iRobot, the leading global consumer robot company, designs and builds robots that empower people to do more both inside and outside of the home. This program is testing iRobot's web applications, mobile applications, cloud APIs, and cloud-connected robots for vulnerabilities.
NOTE! [Please Read Fully Before Beginning Or Engaging In Any Testing]
Please DO NOT use automated vulnerability scanners when testing against the in-scope targets (Zap/Burp/Acunetix/Nikto/Nessus/etc) - all of these tools have already been run, and are run on a recurring basis internally. Running any tools of this nature is largely an inefficient use of your time and resources.
However, you ARE encouraged to run any custom scripts or fuzzers that you have developed (e.g. niche file or directly wordlists, etc); however, please keep your requests using these tools to UNDER 50 requests per SECOND.
In short, we strongly encourage researchers to perform manual testing by hand - this is where you're much more likely to achieve success, and a much better use of your time and resources, as opposed to running common tools that have already been used extensively against the in-scope targets, etc.
Please be aware that Submissions found using pirated software will not be rewarded.
Good luck, and happy hunting!
Additionally, please be aware that this program does not accept out of scope submissions. Testing targets that are out of scope is strictly prohibited.
This bounty does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.
If you have questions or need to contact iRobot or Bugcrowd, please contact support .
You must ensure that customer data or devices are not impacted in any way as a result of your testing. Ensure that you are not being destructive while testing and that you are only testing targets that are in-scope.
Submissions must be submitted in plain text formats. Supporting videos and images are fine as long as they are in standard, cross-platform formats. Submissions in other formats (e.g. DOCX, PDF, etc.,) will be asked to for resubmission in a plain text format.
We are not interested in vulnerabilities that only affect robots under your possession and control unless it can be demonstrated that the same vulnerability would impact another customer's robot, mobile device, account, etc.,
We are committed to working with you as transparently and efficiently as possible.
We will acknowledge receipt of your vulnerability report with 10 working days
We strive to support you and work with you to solve the reported issue within 180 working days.
Support will be provided on a best-effort basis, including for discontinued products.
For the initial prioritization/rating of findings, this program will use the [https://bugcrowd.com/vulnerability-rating-taxonomy](Bugcrowd Vulnerability Rating Taxonomy). However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
In scope
Payment reward chartP1$3500 – $4500 P2$2000 – $3000 P3$500 – $1000 P4$0 – $250
iRobot Roomba™ 105, 205, 405, 505, and 705
Name / Location | Tags | Known issues | iRobot Roomba™ 105 |
Hardware Testing | iRobot Roomba™ 205 |
Hardware Testing | iRobot Roomba™ 405 |
Hardware Testing | iRobot Roomba™ 505 |
Hardware Testing | iRobot Roomba™ 705 |
Hardware Testing |
In scope
Payment reward chartP1$2500 – $3000 P2$1000 – $2000 P3$500 – $900 P4$100 – $300
Roomba Home™ Mobile Applications for iOS and Android
Name / Location | Tags | Known issues | https://apps.apple.com/us/app/roomba-home/id6504274697https://apps.apple.com/us/app/roomba-home/id6504274697 |
Objective-C
SwiftUI
Swift
+2 | https://play.google.com/store/apps/details?id=com.irobot.home.primehttps://play.google.com/store/apps/details?id=com.irobot.home.prime |
Java
Mobile Application Testing
Kotlin
+1 |
In scope
Payment reward chartP1$1000 – $1500 P2$500 – $750 P3$250 – $500 P4$0 – $250
The In-Scope API Gateway Endpoints require proper authentication to execute any commands. The Focus Area for these targets are on reports that can bypass and circumvent the authentication implementation. Each endpoint accepts the following HTTP Methods:
Endpoint URL | HTTP Methods |
https://aspen-ecommerce-prod.iot.irobotapi.com/dev/v1/ecommerce/entitlements | GET,POST |
https://aspen-ecommerce-prod.iot.irobotapi.com/dev/v1/ecommerce/entitlements/%7Bentitlement_id%7D | PUT, DELETE |
https://zuora-ecommerce-prod.iot.irobotapi.com/dev/v1/ecommerce/notifications/raas | POST |
https://aspen-ecommerce-prod.iot.irobotapi.com/dev/v1/ecommerce/robots/%7Brobot_id%7D/entitlements | GET |
https://aspen-ecommerce-prod.iot.irobotapi.com/dev/v1/ecommerce/users/%7Buser_id%7D/entitlements | GET |
Name / Location | Tags | Known issues | https://aspen-ecommerce-prod.iot.irobotapi.com/dev/v1/ecommerce/entitlements/{entitlement_id}https://aspen-ecommerce-prod.iot.irobotapi.com/dev/v1/ecommerce/entitlements/{entitlement_id} |
API Testing
Salesforce
Python
+1 | iRobot API Endpoint |
API Testing | https://zuora-ecommerce-prod.iot.irobotapi.com/dev/v1/ecommerce/notifications/raashttps://zuora-ecommerce-prod.iot.irobotapi.com/dev/v1/ecommerce/notifications/raas |
API Testing
Salesforce
Python
+1 | https://aspen-ecommerce-prod.iot.irobotapi.com/dev/v1/ecommerce/robots/{robot_id}/entitlementshttps://aspen-ecommerce-prod.iot.irobotapi.com/dev/v1/ecommerce/robots/{robot_id}/entitlements |
API Testing
Salesforce
Python
+1 | https://aspen-ecommerce-prod.iot.irobotapi.com/dev/v1/ecommerce/users/{user_id}/entitlementshttps://aspen-ecommerce-prod.iot.irobotapi.com/dev/v1/ecommerce/users/{user_id}/entitlements |
API Testing
Salesforce
Python
+1 |
In scope
Payment reward chartP1$750 – $1000 P2$500 – $750 P3$250 – $500 P4$0 – $250
Name / Location | Tags | Known issues | https://www.irobot.comhttps://www.irobot.com |
Salesforce
Website Testing
Javascript | https://www.irobot.ca/en_CAhttps://www.irobot.ca/en_CA |
Salesforce
Website Testing
Javascript | https://www.irobot.ca/fr_CA/homehttps://www.irobot.ca/fr_CA/home |
Salesforce
Website Testing
Javascript | https://www.irobot.at/https://www.irobot.at/ |
Salesforce
Website Testing
Javascript | https://www.irobot.be/https://www.irobot.be/ |
Salesforce
Website Testing
Javascript | https://www.irobot.de/https://www.irobot.de/ |
Salesforce
Website Testing
Javascript | https://www.irobot.es/https://www.irobot.es/ |
Salesforce
Website Testing
Javascript | https://www.irobot.fr/https://www.irobot.fr/ |
Salesforce
Website Testing
Javascript | https://www.irobot.co.uk/https://www.irobot.co.uk/ |
Salesforce
Website Testing
Javascript | https://www.irobot.ie/https://www.irobot.ie/ |
Salesforce
Website Testing
Javascript | https://www.irobot.nl/https://www.irobot.nl/ |
Salesforce
Website Testing
Javascript | https://www.irobot.pt/https://www.irobot.pt/ |
Salesforce
Website Testing
Javascript |
In scope
These web applications are officially related to the iRobot brand and company, but are not managed by iRobot Corporation and as such will not be eligible for monetary reward.
Examples include, but are not limited to:
Any irobot.tld not included in the "iRobot Commercial Websites" target group
Name / Location | Tags | Known issues | https://www.homesupport.irobot.comhttps://www.homesupport.irobot.com |
Testing is only authorized on the targets listed as In-Scope. Any domain/property of iRobot not listed in the targets section is out of scope.
Ensure that you have fully read and understand the targets, exclusions, and rules below.
Understand the scope.
Note that bounties are awarded differently per product
To test robots, you will need a robot identifier (provided below or you can use your own if you own an iRobot cloud-connected robot) and either the https://apps.apple.com/us/app/roomba-home/id6504274697 or https://play.google.com/store/apps/details?id=com.irobot.home.prime Roomba Home application.
Credentials are self-provisioned on the iRobot site using your @bugcrowdninja.com email address. Additional user accounts can be created to perform horizontal (cross-account) testing using the same account creation process, using your @bugcrowdninja.com email address. We would like researchers to focus on testing the user account and associated functionality.
Testing order and payment workflow at store.irobot.com can be done with the following credit card information. Please do not input real information in orders for order testing purposes.
Robot Identifiers are commonly found in API calls. If you do not have a robot to test with, you can use one of the following Robot IDs:
6977840021925810
3144460C10810750
2A80AB73B5634DB9
Due to the nature of our connected products, we are focused primarily on any vulnerabilities that could allow one user to affect any robots, mobile devices, or account information which do not belong to them. We are especially interested in any attacks that affect the entire robot fleet!
Can you remotely install malware on another user's robot?
Can you collect any user information without physical access to their robot or mobile device, including account information, persistent map information, user WiFi SSIDs, etc.?
Can you control anyone else's robot remotely?
We are interested if you can detail a vulnerability that would allow an actor to control or manipulate a robot not in their possession, but it is out of scope to actually control, deny service, or otherwise negatively impact a robot you do not own.
For our web applications we are interested in traditional web application vulnerabilities and other vulnerabilities that directly affect our customers or products. Some of these vulnerabilities include:
Cross-account data leakage or unauthorized access
Stored/Reflected/DOM-based Cross-Site Scripting (XSS)
SQL Injection (SQLi)
Server-side Remote Code Execution (RCE)
Server-side Request Forgery (SSRF)
Broken access controls (insecure direct object references, etc.)
Path/directory traversal
iRobot Customer - Do not access, destroy, alter, or otherwise negatively impact iRobot customers, or customer data, in any way. Safe Harbor protections outlined below do not apply when iRobot customers or customer data is involved.
Any domain, property, product, protocol, or service of iRobot not explicitly listed in the In-Scope section is out of scope, including any and all iRobot third-party SaaS services.
Any attack causing a denial of service (DoS), or distributed denial of service (DDoS) condition against iRobot products, services, or customers.
Automated scanning tools are out of scope for this program.
The Classic iRobot Home Mobile Apps on iOS and Android.
Contacting iRobot Support via manual methods and automated tools (creating support tickets, etc).
The following finding types are specifically excluded from the bounty:
Fingerprinting or banner disclosure on public ports/services
Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain
[https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers](Missing HTTP security headers), specifically:
HTTP Strict Transport Security (HSTS)
Public Key Pinning Extension for HTTP (HPKP)
X-Frame-Options
X-Frame-Options (Clickjacking)
X-XSS-Protection
X-Content-Type-Options
Content-Security-Policy
X-Permitted-Cross-Domain-Policies
Referrer-Policy
Expect-CT ** Feature-Policy
HTTP OPTIONS header
HTTP or DNS cache poisoning
Vulnerabilities in the WiFi spec
No load testing (DoS/DDoS) on the application(s) or network
Known vulnerabilities in used libraries, or reports of outdated libraries unless you can demonstrate exploitability
DNS vulnerabilities
When conducting vulnerability research according to this policy, we consider this research to be:
Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via [email protected] before going any further.
[/engagements/irobot/announcements](View all announcements)
REDACTED announced iRobot Bug Bounty - Live!
Good news! We are re-opening our engagement as of June 02, 2025.
Prior to restarting testing, you are required to thoroughly review the brief. There have been updates to the scope.
If you have any questions, please [https://bugcrowd-support.freshdesk.com/support/tickets/new](create a ticket with Bugcrowd Support) to get them answered.
Good luck and Happy Hunting!
More
REDACTED announced iRobot Testing Paused
Effective immediately, iRobot is temporarily pausing our bug bounty engagement until further notice.
We are making exciting updates to our targets and our environment. We apologize for the inconvenience and will let you know as soon as the program is live again.
In the interim, Bugcrowd and iRobot will be working together to continue triaging and validating all submissions that have come in to-date.
We appreciate your patience. If you have any questions, please [https://bugcrowd-support.freshdesk.com/support/tickets/new](create a ticket with Bugcrowd Support) to get them answered.
Happy Hunting
More
REDACTED announced DNS Vulnerabilities is Now Out of Scope
Effective immediately, DNS vulnerability reporting is now out of scope. We are aware of an ongoing issue and already working to resolve it.
Any pending submissions submitted before the out of scope changes will be reviewed and processed accordingly.
If you have any questions on the change in the scope, please [https://bugcrowd-support.freshdesk.com/support/tickets/new](create a ticket with Bugcrowd Support) to get them answered.
Thank you for your continued efforts on our program.
Happy Hunting!
More
[/engagements/irobot/crowdstream](View all CrowdStream activity)
Submission accepted on target: iRobot API Endpoint
By kapral885
Engagement /engagements/irobot
Reward $250
Priority P4Accepted on 24 Mar 2026
Submission accepted on target: iRobot API Endpoint
Engagement /engagements/irobot
Reward $750
Priority P2Accepted on 10 Mar 2026
Submission accepted
https://bugcrowd.com/h/gu1mas[/engagements/irobot/hall_of_fames](Hall of Fame)
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please visit [https://bugcrowd-support.freshdesk.com/support/tickets/new](Bugcrowd Support) and create a support ticket. We will address your issue as soon as possible.
This engagement follows Bugcrowd’s [https://www.bugcrowd.com/resource/standard-disclosure-terms/](standard disclosure terms.)
This engagement does not allow disclosure. You may not release information about vulnerabilities found in this engagement to the public.