Our Mission

Roblox’s vision is to reimagine the way people come together, and our mission is to connect a billion people every day with optimism and civility in a shared 3D experience. Our platform empowers people of all ages to imagine, create, and play together in immersive, user-generated worlds.
We recognize the important role that our user community and a community of security researchers play in helping to keep Roblox and our community safe. If you think you’ve found a security issue on any of the scopes we have listed, please inform us via our program on HackerOne using the guidelines below.
Roblox reserves the right to choose to address or not address any reported vulnerabilities. When reporting vulnerabilities, please consider:

1. How easily/realistically exploitable the bug is (what’s the attack scenario?
2. What is the security impact of the bug to our users and company?

If a bug is not easily exploitable or does not have a significant security impact to our platform and users, we may not accept it or we may decrease the overall severity and/or payout to how impactful it is. This often comes into play in differences in our in-scope assets and how impactful they may be to our overall user facing products and platform.

Program Essentials

🚨 STOP. READ THIS. DO NOT SKIM. 🚨

What you must ALWAYS do:

• Test only on your own accounts, devices, and clearly marked private/test experiences.
• Include the string "hackeronetest-<your-roblox-userid>" at the end of your user agent so we can easily identify traffic that is coming from the bug bounty program.
• Test with the minimum necessary actions to validate a vulnerability.
• Report all findings exclusively through HackerOne.
• Follow HackerOne’s disclosure guidelines.

What you must NEVER do:

• Exfiltrate, share, publish, or modify the data of other Roblox users or employees.
• Attempt social engineering (phishing, vishing, smishing) or physical attacks.
• Perform volumetric Denial of Service (DoS), DDoS, or spam attacks.
• Develop or test fully weaponized RCE chains against production clients.
• Distribute exploit executors, cheats, or bypass frameworks.
• Violate any laws, regulations, or agreements during your testing.

2. Core Rules (Applies to All Reports)

2.1 Participation & Eligibility

• Current & former Roblox employees and their family members are not eligible for bounties.
• Recently disclosed 0-day vulnerabilities are not eligible unless you have a working PoC exploit.

2.2 Handling Data (Users & Employees)

Your participation generally prohibits you from collecting, accessing, viewing, storing, altering, or otherwise using the data of Roblox users.

• Localize testing to your own test accounts wherever possible.
• If a bug requires touching other users’ data to verify, you must contact us first for guidance.
• If private user data is accidentally accessed, notify us immediately.
• In exceptional, necessary cases, restrict data use to the absolute minimum amount of users and scope.
• Take measures to prevent unauthorized access, alteration, or deletion of any accessed user data.
• Do not use accessed data to contact Roblox users for any reason.
• Delete any user data from your systems irrevocably after testing (we reserve the right to demand proof).
• Infringing data protection laws (including GDPR) can result in program exclusion, reclaimed bounties, substantial fines, and damages.

2.3 Safe Testing Rules

• If you are aware that your attacks may harm the reliability or integrity of our services or data, stop immediately and contact us by submitting a report.
• Do NOT contact our customer support team or employees out-of-band to contest or escalate a report. All inquiries must happen on the HackerOne report itself. Repeat offenses will lead to removal from the program.

2.4 General Out-of-Scope Vulnerabilities

The following vulnerabilities typically will not qualify for a bounty, or may be downrated if the impact is lacking (e.g., low-impact bugs on WordPress sites like blog.roblox.com). Vulnerabilities that are an accepted risk are not eligible for paid bounties.

• Vulnerabilities previously disclosed or known to Roblox/the public.
• User account hacks requiring user interaction.
• Chat filter bugs.
• Missing autocomplete attributes.
• Missing flags on cookies that do not house sensitive information.
• SSL/TLS scan reports (e.g., SSL Labs output) and version-related vulnerabilities.
• Missing security-related HTTP headers that do not lead directly to a vulnerability.
• Issues affecting a small user base (e.g., outdated browsers/software).
• Volumetric DDoS/DoS/Spam attacks (Note: Data model vulnerabilities used by exploiters to crash game servers ARE in scope and encouraged).
• CSRF with minimal security implications (Login/logout/unauthenticated).
• Version information disclosure without an actual exploitable vulnerability.
• Password complexity-related vulnerabilities.
• Unverified or incomplete scanner output.
• Vulnerabilities requiring physical access to an unlocked device.
• Bugs requiring exceedingly unlikely user interaction.
• Disclosure of public domain information or info lacking significant risk.
• Language used in emails and policy documents.
• SPF, DKIM, or DMARC issues on sub-domains of roblox.com.
• HTML injection vulnerabilities with no direct risk.
• Social engineering or link-following vulnerabilities.
• Self-XSS or similar vulnerabilities.
• Vulnerabilities on *.ra.roblox.com that do not affect release servers.
• Beta/early access vulnerabilities not in HackerOne bounty program (unless explicitly stated, beta feedback does not guarantee a bounty).

3. Additional Guidance

Exploit Development & RCE

Summary: Rules for memory corruption, RCE chains, sandbox escapes, and exploit tooling. Who should read this? Researchers doing client exploitation, RCE, or deep exploit work.

What is Allowed (Public Bug Bounty):

• Minimal PoCs: Reliably reproduce the vulnerability (crash, assertion, benign object corruption). Demonstrate clear security impact (control over a pointer, predictable structure corruption).
• Safe Execution: Cause controlled memory corruption or use-after-free on a test object. Influence data writing without a full chain. Prove primitives (info leak, type confusion) work as described.
• Limited Exploitation: Demonstrate control over program state (influencing a return address, vtable) as long as you don’t execute OS commands, persist access, or alter user state.

What Is Prohibited (Without Explicit Written Authorization):

• Fully Weaponized RCE: Developing reliable chains against production clients that execute arbitrary code (shell commands, DLL injection), act as real-world attacks, or integrate into cheat frameworks.
• Tooling: Creating telemetry bypass frameworks. Automating exploit deployment (mass scripts).
• Targeting Backends: Testing exploits aimed at Roblox Compute Cloud (RCC) servers, control-plane, or management systems.
• Impacting Economies/Users: Stealing creator assets beyond documented APIs, manipulating live economies (mass duplication, currency fraud), or hiding exploit activity inside normal traffic.
• Selling/Sharing: Selling working exploit code to third parties or publicly releasing production-ready chains while unpatched.

4. Reporting & Rewards

We prioritize clear, technically sound writeups over "live" weaponization. When reviewing reports, we consider (1) how easily/realistically exploitable the bug is (the attack scenario) and (2) the security impact on our users and company.

Required Technical Details:

• Version Numbers: For Client or Studio reports, include the exact version. (In Studio: File > About Roblox Studio. For Client: Found in the properties of the .exe file, typically at %APPDATA%\..\Local\Roblox\Versions\<version>\RobloxPlayerBeta.exe).
• Timestamps: Report the approximate date, time, and timezone of your most recent test.

Reasoning-Based Impact (You do not need weaponized RCE for top rewards):

• You can receive high or maximum rewards for serious issues without a fully weaponized exploit.
• You are allowed to explain, in detail, how your primitives could escalate to arbitrary read/write, RCE, or sandbox escapes.
• You are allowed to provide call-graph analysis, object lifetime reasoning, mitigation bypass ideas, hypothetical ROP chains, or high-level exploit diagrams.

Response Targets & SLAs: We will endeavor to keep you informed about our progress and meet the following targets:

• Time to first response (from report submit): 3 business days
• Time to triage (from report submit): 2-10 business days
• Time to bounty (from triage): 20-40 business days

5. Full Disclosure & Legal Terms

While we encourage responsible discovery and reporting, the following conduct is expressly prohibited. Violations will result in disqualification from the Bug Bounty Program and, if necessary, referral to law enforcement:

• Disclosing vulnerabilities or suspected vulnerabilities to any other person without explicit Roblox authorization.
• Disclosing the contents of any submission to our program without explicit Roblox authorization.
• Accessing private information of any person stored on a Roblox product or service.
• Sharing or publishing Roblox user data.
• Accessing sensitive information (e.g., credentials).
• Exfiltrating data (Test only the minimum necessary to validate; we will reward with the impact in mind).
• Conducting any kind of physical attack on Roblox personnel, property, or data centers.
• Violating any laws or regulations or breaching any agreements in order to discover vulnerabilities.