Details

Welcome to the Say Technologies Bug Bounty Program! We’re excited to work more closely with you on discovering bugs in Say. If you have any questions on our program, please email [email protected] or find us on Bug Bounty Forum. Thank you for helping keep Say Technologies and our users safe!

Rules of Engagement

By submitting reports to our program, you agree that you’ve read, understood, and will follow our Program Rules and overall Program Policy.

Program Rules

Be careful with sensitive information. If sensitive information such as personal information or user credentials are uncovered as part of your research, stop and report it to us immediately. Do not save, store, copy, or otherwise retain sensitive information, and work with us on any additional requests we may have.
Test responsibly. Only interact with and test bugs against accounts you own. Reach out to us if you need help with testing cross-account issues.
Do not cause harm. Do not engage in activities that disrupt, damage, or otherwise cause harm to or defraud Say Technologies or Robinhood, our users, our employees, or our brand—including denial of service attacks, social engineering, phishing, spam, social media scams, fraudulent transactions, or physical attacks.
Do not send spam messages to any contact forms.

Violation of any of our Program Rules may result in (but is not limited to) ineligibility for a bounty and/or permanent disqualification and removal from Say Technologies’ and any of its affiliate’s bug bounty programs.

Service Level Agreements (SLAs)

Say Technologies will use commercially reasonable efforts to meet the following SLAs for hackers participating in our program:

Type of Response	SLA in business days
First Response	1 day
Time to Triage	5 days
Time to Bounty	1 day after triage

Special Considerations

Due to the nature of our business, we ask that you also follow these guidelines:

Do not perform resource intensive tests which could result in disruption or downtime for our services when the stock market is open (Mon-Fri, 8:30AM - 6:00PM US/Eastern).

Zero-Day Issues

Say Technologies accepts zero-day issues in third party software that can be directly used to compromise the confidentiality or integrity of our products. Zero-day issues may be submitted to our program at any time; however, we will only accept reports that permit us to disclose the issue to the relevant vendors. We cannot authorize testing against any third parties or our vendors.

Eligibility to Participate

To be eligible to participate in the Say Technologies Bug Bounty Program, you must:

Be at least 18 years of age
Not be employed by Say Technologies or any of its affiliates as an employee, contingent worker, or contractor (including individuals who separated from Say Technologies or any of its affiliates within the prior 12 months), nor be an immediate family member of an aforementioned employee, contingent worker, or contractor.
Not be a resident of or an individual located within a country appearing on any U.S. sanctions lists, as administered by the Office of Foreign Assets Control (OFAC)
Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to the Bug Bounty Program

Rewards

Our program calculates bounties for reports based on a sliding CVSSv3 scale, calculated by HackerOne; the higher the issue’s score, the higher your bounty will be. We’ll use lower environmental scores for assets that are less important to Say Technologies. We encourage rating your issues with CVSS before submission, but know that we may have to make adjustments in the event the score isn’t representative of the true impact. Final determination of the eligibility and severity of the issue will be made by and at the sole discretion of the Say Security Team.

Eligibility is limited to domains and properties owned and operated by Say Technologies. Software components used within Say Technologies are eligible and may be exploited in your vulnerability testing. Note that bugs in third-party components only qualify if we determine that they can be used to successfully exploit Say Technologies.

Out of Scope

We consider most informative-type issues to be out of scope, like SPF issues. If most other bug bounty programs exclude it, we likely would too. To keep it brief, we’ll only enumerate the most important issues to avoid testing or reporting.

Physical attacks against Say Technologies employees, offices, or data centers, or any of its affiliates’ employees, offices, or data centers
Social engineering attacks against Say Technologies or any of its employees or users or any of its affiliates’ employees, offices or data centers , including phishing
Vulnerabilities in third-party integrations with the Say Technologies API
Vulnerabilities that require physical access, rooted / jailbroken devices, or debug access to a user’s device
Denial of service without prior authorization

If you have any questions about the rules or scope of the Say Technologies Bug Bounty Program, please reach out to us at [email protected] or on Bug Bounty Forum.

Program Rules

Be careful with sensitive information. If sensitive information such as personal information or user credentials are uncovered as part of your research, stop and report it to us immediately. Do not save, store, copy, or otherwise retain sensitive information, and work with us on any additional requests we may have.

Test responsibly. Only interact with and test bugs against accounts you own. Reach out to us if you need help with testing cross-account issues.

Do not cause harm. Do not engage in activities that disrupt, damage, or otherwise cause harm to or defraud Say Technologies or Robinhood, our users, our employees, or our brand—including denial of service attacks, social engineering, phishing, spam, social media scams, fraudulent transactions, or physical attacks.

Do not send spam messages to any contact forms.

Type of Response

SLA in business days

First Response

1 day

Time to Triage

5 days

Time to Bounty

1 day after triage

Zero-Day Issues

Eligibility to Participate

To be eligible to participate in the Say Technologies Bug Bounty Program, you must:

Be at least 18 years of age

Not be employed by Say Technologies or any of its affiliates as an employee, contingent worker, or contractor (including individuals who separated from Say Technologies or any of its affiliates within the prior 12 months), nor be an immediate family member of an aforementioned employee, contingent worker, or contractor.

Not be a resident of or an individual located within a country appearing on any U.S. sanctions lists, as administered by the Office of Foreign Assets Control (OFAC)

Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to the Bug Bounty Program

Rewards

Out of Scope

Physical attacks against Say Technologies employees, offices, or data centers, or any of its affiliates’ employees, offices, or data centers

Social engineering attacks against Say Technologies or any of its employees or users or any of its affiliates’ employees, offices or data centers , including phishing

Vulnerabilities in third-party integrations with the Say Technologies API

Vulnerabilities that require physical access, rooted / jailbroken devices, or debug access to a user’s device

Denial of service without prior authorization

If you have any questions about the rules or scope of the Say Technologies Bug Bounty Program, please reach out to us at [email protected] or on Bug Bounty Forum.