Bug Bounty Event - Engine Security

What’s happening?

We’re hosting an upcoming bug bounty promotion/campaign on HackerOne focusing on Engine security bugs!

If valid, your bug bounty report will pay out 1.5 times the standard program amount. The campaign will run from Oct 16, 2024 to Nov 6, 2024.

What qualifies as a valid HackerOne submission?

For our general guidelines about HackerOne submissions, please refer to the “About the Bug Reports category” page as well as our HackerOne policy. Only submit a report if it is a security vulnerability along with a working proof of concept.

What types of weaknesses and vulnerabilities are considered in scope?

:exclamation: We will only accept Engine-related vulnerabilities.
In scope vs. out of scope weaknesses will continue to follow Roblox’s standard HackerOne program policy. Please review the out of scope vulnerabilities section on our program page prior to submitting a report. We’ll also prioritize reports that fall under these categories (as well as other Engine reports with high to critical severity):

  • Denial of Service (applicable to all or most experiences)
    • Server crashes
    • Out-of-Memory (OOM) bugs
    • Disconnecting clients
  • Memory safety
    • Read of uninitialized memory
    • Use After Free
    • Out-of-bounds Read
    • Out-of-bounds Write
    • Double free

Thanks, and we look forward to your report submissions!

28 Likes