Robinhood Vulnerability Disclosure Program

Introduction

Welcome to the Robinhood Vulnerability Disclosure Program! We're excited to work more closely with you on discovering bugs in Robinhood. Thank you for helping keep Robinhood and our users safe!

Robinhood Markets, Inc.

Program Highlights

• Closed Scope: Only accepts reports based on the listed scope.
• Gold Standard Safe Harbor: Adheres to Gold Standard Safe Harbor.
• Coordinated Vulnerability Disclosure: Undeclared
• Top Response Efficiency: This program's response efficiency is above 90%.

Response Times

• Average time to first response: 4 hours
• Average time to triage: 17 hours
• Average time to resolution: N/A

Program Rules

By submitting reports to our program, you agree that you've read, understood, and will follow our Program Rules and overall Program Policy.

Core Rules

• Be careful with sensitive information: If sensitive information, such as personally identifiable information or user account credentials, is uncovered as part of your research, stop and report it to us immediately. Do not save, download, export, store, copy, move, or otherwise retain any sensitive or personally identifiable information, and work with us on any additional requests we may have.

• Test responsibly: Only interact with and test bugs against accounts you own. We do not allow testing against user accounts not owned by the Security Researcher. Reach out to us if you need help with testing cross-account issues.

• Do not cause harm: Do not engage in activities that disrupt, damage, or otherwise cause harm to or defraud Robinhood, our users, our employees, our data or our users' data, or our brand—including, without limitation, denial of service attacks, social engineering, phishing, spam, social media scams, fraudulent transactions, data exfiltration or tampering, or physical attacks.

• Do not exceed $1,000 USD when testing unbounded loss vulnerabilities: When you reach $1,000 USD file your report with all verification you have completed so far. Internal teams will verify unbounded loss vulnerabilities collaboratively with you. Testing over $1,000 USD may result in termination from our program.

• Do not disclose reports: Do not disclose reports made to the Robinhood vulnerability disclosure program at any time, in any location independent of the HackerOne platform.

Consequences of Violation

Violation of any of our Program Rules may result in (but is not limited to) consequences such as permanent disqualification and removal from the Robinhood Vulnerability Disclosure Program, or voiding the protections of the HackerOne Gold Standard Safe Harbor.

Special Considerations

Due to the nature of our business, we ask that you also follow these guidelines:

• Do not perform resource intensive tests which could result in disruption or downtime for our services.

• Do not make financial transactions with other user accounts you do not own.

• Findings dependent on account takeover (ATO) are typically not accepted.

• If your report shows theoretical impact rather than demonstrates an impact (e.g. 'This flaw could result in information disclosure' versus 'Here is the information I was able to access using the flaw'), severities will be lower. Safe harbor for researchers is applied.

• Do not send large volumes of data to our websockets.

• Do not create large volumes of support tickets.

Submission Requirements

Use the following headers when making requests to Robinhood resources or assets for vulnerability disclosure research where <Username> is your HackerOne username and <TestAccountEmail> is the email associated with the test account you're making the request with:

X-Bug-Bounty: <Username>
X-Test-Account-Email: <TestAccountEmail>

Researchers who use these headers and document them in their report will be given a $50 USD bonus on reports which receive a bounty award.