Hello and welcome developers and security researchers!
Would you like to (safely) test out some of your security hacking ideas and bank a little spending money?
In January 2020, Roblox expanded its private bug bounty program and opened it up to the general public. Further information regarding the bounty program can be found here.
Once in a while, Roblox will run a campaign to focus researchers’ attention to classes of bugs that our team has particular interest in. During these bug bounty campaigns, reporters will receive an additional bonus bounty to the standard reward.
Background
In the last few years, a variety of exploits and attacks have been discovered and fixed as a result of the research submitted by the Roblox community!
The bugs and vulnerabilities in the existing Lua APIs are difficult to find because researchers have to deep dive into the internals of these functions to identify them. We’d like to encourage developers and security researchers in the Roblox community to look for more vulnerabilities in the Roblox data model across our platform that could potentially lead to attacks where a Roblox client can perform an action that will crash a game server or make it inaccessible.
Core Requirements
Familiarize yourself with the rules
It’s important to make sure you have read and understand the rules and terms and conditions of the bug bounty program at HackerOne.
Keep in mind that we may choose to categorize some types of exploits as low-risk or low-severity if they require unique or rare circumstances.
Testing should NOT be done on public games
Keep in mind that the testing of the exploits should NOT be done on public games and the researcher must take measures to avoid accessing private user data or affecting other users’ experiences.
Please create your own place and put script(s) in it that demonstrate the malicious behavior. Roblox will accept the place you created as evidence. You shouldn’t allow other people to access your place.
Do NOT download external tools
Furthermore, for your own protection, we do not want you to download any external tools to inject malicious scripts in the live games on production to showcase your attack scenario. Many exploits are scams to get you to download malware, such as a keylogger or other phishing program that can be used to steal your Roblox password or personal information you have on your computer.
Keep in mind that in addition to the personal security risks, you can get banned by Roblox for using external exploiting tools.
Bonuses
A bonus of up to $1000 will be added to the standard report award for DoS exploits with a clear proof of concept and reproduction steps.
Please quote the following campaign code with your report “C-2012-DOS” to ensure eligibility of the bonus. Campaign will be valid till February 1st, 2021.
The bonus amount will vary depending on the quality of reports. A high-quality report provides all the necessary information for an engineer to quickly understand, reproduce and fix the issue. This includes:
-
Descriptive title
-
Concise description of the bug
-
Where the bug happens
-
Impact
-
What expertise level is required
-
Any required background information
-
Attached PoC (screenshots and videos)
-
Place file that can be used to reproduce the bug. As these bugs would usually be exploited by injecting scripts via an external tool, we require reporters to submit a place file that includes the malicious scripts in it and can be used by Roblox engineers directly for easy reproduction.
-
Reproduction steps in Studio
Here is an example DoS report submitted by albertl.
In the description of the bug report, the reporter demonstrates with a PoC (proof of concept), how they can cause their locally running Roblox game server to stop responding.
The reporter constructs a string where the special characters above = escaped_unicode(\uE01\uE47\uE47\uE47\u258C\u2593) of length of upto 2 x 105, and sends it to the Roblox Lua API ‘SayMessageRequest’ remote service
The bug would cause the server to attempt to log the received message, causing the process to become unresponsive. The bug has since been fixed and the reporter was rewarded
Reports submitted with PoC code and videos demonstrating the exploit are very well received and help expedite the triage process, resulting in quicker fixes and reward payouts.
Let us know if you have any questions.
Thank you,
Security Team