Program guidelines

Introduction

Welcome to the Robinhood Bug Bounty Program! We’re excited to work more closely with you on discovering bugs in Robinhood. Thank you for helping keep Robinhood and our users safe! Robinhood Markets, Inc.

Program highlights

Gold Standard Safe HarborAdheres to Gold Standard Safe Harbor. [https://docs.hackerone.com/en/articles/8494525-gold-standard-safe-harbor-statement](

)

Platform StandardsFully compliant with Platform Standards. [https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards#h_e01bc643a8](

)

Top Response EfficiencyThis program's response efficiency is above 90%. [https://docs.hackerone.com/en/articles/8490880-response-target-indicators](

)

Managed by HackerOneCollaboration EnabledIncludes Retesting

9 hours Average time to first response

20 hours Average time to triage

0 Average time to bounty

20 hours Average time from submission to bounty

4 days, 21 hours Average time to resolution

Active campaign

Ends in 15 days

Assets eligible:3 URLwww.bitstamp.net

GOOGLE_PLAY_APP_IDnet.bitstamp.app

APPLE_STORE_APP_IDId1406825640

low(2x)

|

medium(2x)

|

high(2x)

|

critical(2x)

|

Hello Hacker, We’re excited to let you know that starting March 19, 2026, we’ll be launching a campaign focusing on Bitstamp* assets in our Robinhood bug bounty program.

You’ll have a three-week window (3/19-4/9) to explore these new assets before they’re added to the wider bounty programs. To make things even better, all valid submissions during this campaign will earn a 2x bounty multiplier.

If you’d like to start preparing, here are the in-scope hosts:

• http://www.bitstamp.net

• *.bitstamp.net Subdomains pointing to third-party services and are not in scope.

Additionally mobile applications will also be in scope for this campaign. Those are:

• Id1406825640 - iOS

• Net.bitstamp.app - Android

If you’d like to review the API documentation, you may find that here: https://www.bitstamp.net/api/

Please note that test accounts are not available for Bitstamp at this time. Thank you for continuing to make our programs stronger. We can’t wait to see what you find!

The Bug Bounty Team

• Bitstamp Limited is a subsidiary of Robinhood Markets, Inc.

Rewards summary

Last updated on February 11, 2026. [/robinhood/bounty_table_versions](View changes

)

Each severity lists the 90-day average bounty and the percentage of total resolved reports, if applicable.

Asset

LowAvg. bounty $13028.99% submissions

MediumAvg. bounty n/a52.17% submissions

HighAvg. bounty $5,02517.39% submissions

CriticalAvg. bounty n/a1.45% submissions

Asset

LowAvg. bounty $13028.99% submissions

MediumAvg. bounty n/a52.17% submissions

HighAvg. bounty $5,02517.39% submissions

CriticalAvg. bounty n/a1.45% submissions

Tier 3

$100–$500

$500–$3,000

$3,000–$6,000

$6,000–$8,000

Tier 2

—

—

$1,000–$3,000

$3,000–$6,000

Tier 1

$100–$500

$500–$5,000

$5,000–$10,000

$10,000–$25,000

Scope exclusions

Core Ineligible Findings are out of scope. [https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings](Learn more

)Category Exclusion details

Overview

Last updated on March 11, 2026. [/robinhood/policy_versions](View changes

)

Robinhood Markets Bounty looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Bug Bounty Program Rules

By submitting reports to our program, you agree that you’ve read, understood, and will follow our Program Rules and overall Program Policy.

• Be careful with sensitive information. If sensitive information such as personal information or user credentials are uncovered as part of your research, stop and report it to us immediately. Do not save, store, copy, move, or otherwise retain sensitive information, and work with us on any additional requests we may have.

• Test responsibly. Only interact with and test bugs against accounts you own. We do not allow testing against user accounts not owned by the Security Researcher. Reach out to us if you need help with testing cross-account issues.

• Do not cause harm. Do not engage in activities that disrupt, damage, or otherwise cause harm to or defraud Robinhood, our users, our employees, our data or our users’ data, or our brand—including, without limitation, denial of service attacks, social engineering, phishing, spam, social media scams, fraudulent transactions, data exfiltration or tampering, or physical attacks.

• Do not exceed $1,000 USD when testing unbounded loss vulnerabilities. When you reach $1,000 USD file your report with all verification you have completed so far. Internal teams will verify unbounded loss vulnerabilities collaboratively with you. Testing over $1,000 USD may result in termination from our program.

• Do not disclose reports made to the Robinhood bug bounty program at any time, in any location independent of the HackerOne platform.

Violation of any of our Program Rules may result in (but is not limited to) consequences such as ineligibility for a bounty, permanent disqualification and removal from the Robinhood Bug Bounty Program, or voiding the protections of the HackerOne

Special Considerations

Due to the nature of our business, we ask that you also follow these guidelines:

• Do not perform resource intensive tests which could result in disruption or downtime for our services.

• Do not make financial transactions with other user accounts you do not own.

• Findings dependent on account takeover (ATO) are typically not accepted, though we may award a small bonus for bugs we consider novel.

• Do not send large volumes of data to our websockets.

• Do not create large volumes of support tickets.

The most common reason reports are rejected as ‘informative’ rather than for a bounty is because of impact. If your report shows theoretical impact rather than demonstrates an impact (e.g. ‘This flaw could result in information disclosure’ versus ‘Here is the information I was able to access using the flaw’), severities (and bounties) will be lower.

Safe harbor for researchers is applied.

Eligibility to Participate

To be eligible to participate in any Robinhood Bug Bounty Program, you must:

• Be at least 18 years of age and meet Robinhood account requirements if you test using a Robinhood account

• Not be employed by Robinhood as an employee, contingent worker, or contractor (including individuals who separated from Robinhood within the prior 12 months) or be an immediate family member of a current or former Robinhood employee, contingent worker, or contractor

• Not be a resident of or an individual located within a country appearing on any U.S. sanctions lists, as administered by the Office of Foreign Assets Control (OFAC)

• Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to the Bug Bounty Program

Robinhood also maintains a VIP Bug Bounty Program, which allows access to pre-release features in advance of their launch before the general public. Researchers who participate in our program may be invited to join the VIP Program based on the quality and consistency of their reports, with at least 3-5 reports submitted over time.

Submission Requirements

Use the following headers when making requests to Robinhood resources or assets for bug bounty where is your HackerOne username and is the email associated with the test account you’re making the request with: X-Bug-Bounty: X-Test-Account-Email: Please include these host values in your report, as well as your breakdown of the CVSS score you assign to your submission.

Rewards

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). We’ll work with you to find an accurate CVSS score for your report, but please note these are general guidelines and reward decisions are up to the discretion of Robinhood.

Our program calculates bounties for reports based on a sliding CVSSv3 scale; the higher the issue’s score, the higher your bounty will be. We’ll use lower environmental scores for assets that are less important to Robinhood. We encourage rating your issues with CVSS before submission and including a breakdown of what your understanding of the criteria to be, but know that we may have to make adjustments in the event the score isn’t representative of the true impact. True impact will be determined by a host of factors including whether mitigations are in place, whether token interception/account takeover (ATO) is a requirement of the attack, the type of sensitive information disclosed, and what can actually be done with the identified exploit. The most common reason reports are rejected as ‘informative’ rather than for a bounty is because of a failure to provide demonstrable impact. If your report shows theoretical impact rather than demonstrates impact (e.g. ‘This flaw could result in information disclosure’ versus ‘Here is the information I was able to access using the flaw’), severities will be lower. It’s worth noting that severity gets decreased when: exploitation is currently mitigated by effective compensating controls; the vulnerability is only exploitable internally such as behind authentication systems (e.g., Okta) or requires specific privileges that limit accessibility; or the exploitation scenario involves user interactions or conditions that are unlikely to be met or are heavily constrained. Additionally no bounties will be awarded for issues which are fixed and no longer reproducible if the issue is fixed prior to the ticket being triaged/not as a result of the bug bounty ticket. Final determination of the eligibility and severity of the issue will be made by and at the sole discretion of the Robinhood Security Team.

Eligibility is limited to domains and properties owned and operated by Robinhood and its acquisitions. Software components used within Robinhood are eligible and may be exploited in your vulnerability testing. Note that bugs in third-party components only qualify if we determine that they can be used to successfully exploit Robinhood. Root cause duplicates (i.e. same issue across multiple hosts or endpoints) will be considered duplicates when the underlying component/mechanism is the same. Bounties will not be paid for fixed issues which are no longer reproducible, if issues are already known before the ticket is validated, or if they were fixed not as a result of the bug bounty submission.

Zero-Day Issues

Robinhood accepts zero-day issues in third party software that can be directly used to compromise the confidentiality or integrity of our products. Zero-day issues may be submitted to our program at any time; however, we will only accept reports that permit us to disclose the issue to the relevant vendors. We cannot authorize testing against any third parties or our vendors.

Starting Point

Not sure where to start? Here are a few areas we’d like to see more coverage of and some questions to get you started:

• Authenticated issues - Create a test account using your HackerOne email and test functionality from the perspective of an authenticated user. What bugs exist in authenticated workflows?

• Business Logic issues - Can UI protections be circumvented with underlying API calls or can you perform sequence steps out of order in ways that have a security impact?

• Sensitive Information Disclosure - Are there places in the application where sensitive data like SSNs or other PII are handled insecurely?

Configuration files are provided solely to assist you in configuring your tooling. Robinhood makes no representations or warranties, express or implied, and assumes no responsibility or liability for any outcomes or issues arising from its use.

Scope

Tier 1:

• *.rhapollo.net - Rhapollo.net contains internal Robinhood services.

• *.rhinternal.net - Rhinternal.net contains internal Robinhood services.

• *.robinhood.com - Robinhood.com contains the bulk of Robinhood web assets, APIs, and publicly accessible services.

• api.robinhood.com - api.robinhood.com is an AWS ALB that proxies traffic to many different Robinhood services. For example, while Cashier is available at cashier.robinhood.com, it’s also available at api.robinhood.com/cashier. In most cases, the endpoints should be identical in functionality.

• nummus.robinhood.com - Nummus handles cryptocurrency trading for Robinhood users, and tracks cryptocurrency account balances.

• *.robinhood.net - Robinhood.net contains internal Robinhood services. You shouldn’t be able to log into anything here. oak.robinhood.net

• Major Oak (also accessible internally at oak.robinhood.com) is our internal administrative tooling, which is used by Customer Support to make changes to customer accounts. Access to and vulnerabilities in Major Oak are very sensitive.

• 1634080733 iOS - Robinhood Wallet is an application for owning and managing your blockchain assets in a self-custody crypto wallet.

• 6462308655 iOS - Robinhood Credit Card is an application for the Robinhood Gold Card.

• 938003185 iOS - Robinhood: Trading and Investing is an online brokerage application for trading and investing

• com.robinhood.android Android - Robinhood: Trading and Investing is an online brokerage application for trading and investing

• com.robinhood.gateway Android - Robinhood Wallet is an application for owning and managing your blockchain assets in a self-custody crypto wallet.

• com.robinhood.money Android - Robinhood Credit Card is an application for the Robinhood Gold Card.

• com.robinhood.global Android - Robinhood: Trading and Investing is an online brokerage application for trading and investing for international users

• http://www.bitstamp.net - http://www.bitstamp.net is the main host associated with the Bitstamp website. Subdomains are in Tier 3.

Tier 2:

• *.saytechnologies.com

• *.say.rocks

Tier 3:

• *.1integrations.com

• *.x1.co

• *.x1creditcard.com

• *.1integrations.com

• *.x1.co

• *.x1creditcard.com

• fusion.tradepmr.com - Production environment and TradePMR application.

• http://www.tradepmr.com

• insight2.tradepmr.com

• *.bitstamp.net - All Bitstamp supporting services and subdomains which are listed below. Details about APIs can be found here: https://www.bitstamp.net/api/ Subdomains pointing to third-party services are not in scope.

• Id1406825640 - Bitstamp iOS application

• net.bitstamp.app - Bitstamp Android application

Out of Scope

• shop.robinhood.com - Report findings to Brilliant Made https://www.brilliantmade.com/

• fleet.infra.robinhood.net

• content.research.robinhood.com - Report findings to https://www.GreatQuestion.co

• events.robinhood.com

• http://www.saytechnologies.com/contact/sales

• affiliates.robinhood.com

• vgs-api.robinhood.com

• share.robinhood.com

• affiliates.robinhood.com

• esg.robinhood.com

• startinvesting.robinhood.com

• go.robinhood.com

• underthehoodpod.robinhood.com

• press.robinhood.com

• roadshow.robinhood.com

• weareallinvestors.robinhood.com

• careers.robinhood.com

• earlytalent.robinhood.comauth-sandbox.tradepmr.com

• api-sandbox.tradepmr.com

• fusion-demo.tradepmr.com

• fusion-demo.uat.tradepmr.com

• fusion-demo.uat2.tradepmr.com

• fusion.uat.tradepmr.com

• fusion.uat2.tradepmr.com

• fusion.uat3.tradepmr.com

• auth-validation.tradepmr.com

• api-validation.tradepmr.com

• auth.tradepmr.com

• api.tradepmr.com

• sandbox.bitstamp.net

We consider most informative-type issues to be out of scope, like SPF issues. If most other bug bounty programs exclude it, we likely would too.

• Physical attacks against Robinhood employees, offices, or data centers

• Social engineering attacks against Robinhood employees or users, including phishing

• Vulnerabilities in third-party integrations with the Robinhood API or third-party banking functionality (e.g. credit card chargebacks made through your financial institution)

• Vulnerabilities that require physical access, rooted / jailbroken devices, or debug access to a user’s device

• Denial of service without prior authorization

• Subdomain takeover without taking over the subdomain

• Cache poisoning

• Email list or notification setting configuration issues or information disclosure

• Clickjacking without impact

• Disclosure of publicly available information

• Lack of security flags in cookies (except session cookies)

• Lack of security headers unless exploitable

• Vulnerabilities caused by out-of-date browsers or browser add-ons

• Vulnerabilities caused by out-of-date or no longer maintained Android or iOS versions

• Mobile application root and jailbreak detection

• For Say Technologies: Voting information disclosure via IDOR, and anything including contact or support forms

• DNS records including email policy (SPF, DKIM, DMARC), DNSSEC

• Issues related to unsafe SSL/TLS cipher suites or protocol versions unless exploitable

• Lack of EXIF stripping on uploads, unless those uploads are publicly accessible

• Logout CSRF

Additionally HackerOne has core ineligible findings that are applicable to this program

Top hackers

[/robinhood/thanks](See all hackers

)

1

/ashwarya?type=userReputation: 3k

2

/zlz?type=userReputation: 234

3

/ian?type=userReputation: 120

4

/stealthy?type=userReputation: 110

5

/m0chan?type=userReputation: 105

6

/meals?type=userReputation: 83

7

/erbbysam?type=userReputation: 66

8

/mayonaise?type=userReputation: 57

9

/d0xing?type=userReputation: 53

10

/crazytodd?type=userReputation: 52

11

/ncrcs?type=userReputation: 49

12

/nagli?type=userReputation: 47

Robinhood Markets Bounty

http://robinhood.com Bug Bounty Program launched in Oct 2025

Response efficiency: 100%

[/robinhood/reports/new?type=team&report_type=vulnerability](

Submit without Report Assistant

)

Rewards

Severity

Rewards

Severity

Rewards

LowAvg. bounty $13028.99% submissions

$100–$500

MediumAvg. bounty n/a52.17% submissions

$500–$5,000

HighAvg. bounty $5,02517.39% submissions

$1,000–$10,000

CriticalAvg. bounty n/a1.45% submissions

$3,000–$25,000

Stats

Total bounties paid | >$300,000 | Average bounty range | $966 - $1,431 | Top bounty range | $4,690 - $11,500 | Bounties paid | 90 days | $10,000 - $15,000 | Reports received | 90 days | 997 | Last report resolved | 21 days ago | Reports resolved | 133 | Hackers thanked | 69 | Assets In Scope | 25 |

© HackerOne

• /opportunities/all
• /security
• /leaderboard
• https://www.hackerone.com/blog
• https://www.hackeronestatus.com/
• https://docs.hackerone.com
• https://support.hackerone.com
• [https://www.hackerone.com/disclosure-guidelines](Disclosure Guidelines)
• https://www.hackerone.com/press
• https://www.hackerone.com/privacy
• https://www.hackerone.com/terms
• https://x.com/hacker0x01