[{"id":3770532,"new_policy":"# **Our Mission**\n\nRoblox’s vision is to reimagine the way people come together, and our mission is to connect a billion people every day with optimism and civility in a shared 3D experience. Our platform empowers people of all ages to imagine, create, and play together in immersive, user-generated worlds.  \nWe recognize the important role that our user community and a community of security researchers play in helping to keep Roblox and our community safe. If you think you’ve found a security issue on any of the scopes we have listed, please inform us via our program on HackerOne using the guidelines below.  \nRoblox reserves the right to choose to address or not address any reported vulnerabilities. When reporting vulnerabilities, please consider:\n\n1. How easily/realistically exploitable the bug is (what’s the attack scenario?\n2. What is the security impact of the bug to our users and company?\n\nIf a bug is not easily exploitable or does not have a significant security impact to our platform and users, we may not accept it or we may decrease the overall severity and/or payout to how impactful it is. This often comes into play in differences in our in-scope assets and how impactful they may be to our overall user facing products and platform.\n\n# **Program Essentials**\n\n**🚨 STOP. READ THIS. DO NOT SKIM. 🚨**\n\n**What you must ALWAYS do:**\n\n* Test only on your own accounts, devices, and clearly marked private/test experiences.  \n* Include the string \"hackeronetest-\\\u003cyour-roblox-userid\\\u003e\" at the end of your user agent so we can easily identify traffic that is coming from the bug bounty program.  \n* Test with the minimum necessary actions to validate a vulnerability.  \n* Report all findings exclusively through HackerOne.  \n* Follow HackerOne’s disclosure guidelines.\n\n**What you must NEVER do:**\n\n* Exfiltrate, share, publish, or modify the data of other Roblox users or employees.  \n* Attempt social engineering (phishing, vishing, smishing) or physical attacks.  \n* Perform volumetric Denial of Service (DoS), DDoS, or spam attacks.  \n* Develop or test fully weaponized RCE chains against production clients.  \n* Distribute exploit executors, cheats, or bypass frameworks.  \n* Violate any laws, regulations, or agreements during your testing.\n\n# **2\\. Core Rules (Applies to All Reports)**\n\n## **2.1 Participation \u0026 Eligibility**\n\n* Current \u0026 former Roblox employees and their family members are not eligible for bounties.  \n* Recently disclosed 0-day vulnerabilities are not eligible unless you have a working PoC exploit.\n\n## **2.2 Handling Data (Users \u0026 Employees)**\n\nYour participation generally prohibits you from collecting, accessing, viewing, storing, altering, or otherwise using the data of Roblox users.\n\n* Localize testing to your own test accounts wherever possible.  \n* If a bug requires touching other users’ data to verify, you must contact us first for guidance.  \n* If private user data is accidentally accessed, notify us immediately.  \n* In exceptional, necessary cases, restrict data use to the absolute minimum amount of users and scope.  \n* Take measures to prevent unauthorized access, alteration, or deletion of any accessed user data.  \n* Do not use accessed data to contact Roblox users for any reason.  \n* Delete any user data from your systems irrevocably after testing (we reserve the right to demand proof).  \n* Infringing data protection laws (including GDPR) can result in program exclusion, reclaimed bounties, substantial fines, and damages.\n\n## **2.3 Safe Testing Rules**\n\n* If you are aware that your attacks may harm the reliability or integrity of our services or data, stop immediately and contact us by submitting a report.  \n* Do NOT contact our customer support team or employees out-of-band to contest or escalate a report. All inquiries must happen on the HackerOne report itself. Repeat offenses will lead to removal from the program.\n\n## **2.4 General Out-of-Scope Vulnerabilities**\n\nThe following vulnerabilities typically will not qualify for a bounty, or may be downrated if the impact is lacking (e.g., low-impact bugs on WordPress sites like blog.roblox.com). Vulnerabilities that are an accepted risk are not eligible for paid bounties.\n\n* Vulnerabilities previously disclosed or known to Roblox/the public.  \n* User account hacks requiring user interaction.  \n* Chat filter bugs.  \n* Missing autocomplete attributes.  \n* Missing flags on cookies that do not house sensitive information.  \n* SSL/TLS scan reports (e.g., SSL Labs output) and version-related vulnerabilities.  \n* Missing security-related HTTP headers that do not lead directly to a vulnerability.  \n* Issues affecting a small user base (e.g., outdated browsers/software).  \n* Volumetric DDoS/DoS/Spam attacks (*Note: Data model vulnerabilities used by exploiters to crash game servers ARE in scope and encouraged*).  \n* CSRF with minimal security implications (Login/logout/unauthenticated).  \n* Version information disclosure without an actual exploitable vulnerability.  \n* Password complexity-related vulnerabilities.  \n* Unverified or incomplete scanner output.  \n* Vulnerabilities requiring physical access to an unlocked device.  \n* Bugs requiring exceedingly unlikely user interaction.  \n* Disclosure of public domain information or info lacking significant risk.  \n* Language used in emails and policy documents.  \n* SPF, DKIM, or DMARC issues on sub-domains of roblox.com.  \n* HTML injection vulnerabilities with no direct risk.  \n* Social engineering or link-following vulnerabilities.  \n* Self-XSS or similar vulnerabilities.  \n* Vulnerabilities on `*.ra.roblox.com` that do not affect release servers.  \n* Beta/early access vulnerabilities not in HackerOne bounty program (unless explicitly stated, beta feedback does not guarantee a bounty).\n\n# **3\\. Additional Guidance**\n\n## **Exploit Development \u0026 RCE**\n\n**Summary:** Rules for memory corruption, RCE chains, sandbox escapes, and exploit tooling. **Who should read this?** Researchers doing client exploitation, RCE, or deep exploit work.\n\n**What is Allowed (Public Bug Bounty):**\n\n* **Minimal PoCs:** Reliably reproduce the vulnerability (crash, assertion, benign object corruption). Demonstrate clear security impact (control over a pointer, predictable structure corruption).  \n* **Safe Execution:** Cause controlled memory corruption or use-after-free on a test object. Influence data writing without a full chain. Prove primitives (info leak, type confusion) work as described.  \n* **Limited Exploitation:** Demonstrate control over program state (influencing a return address, vtable) as long as you don’t execute OS commands, persist access, or alter user state.\n\n**What Is Prohibited (Without Explicit Written Authorization):**\n\n* **Fully Weaponized RCE:** Developing reliable chains against production clients that execute arbitrary code (shell commands, DLL injection), act as real-world attacks, or integrate into cheat frameworks.  \n* **Tooling:** Creating telemetry bypass frameworks. Automating exploit deployment (mass scripts).  \n* **Targeting Backends:** Testing exploits aimed at Roblox Compute Cloud (RCC) servers, control-plane, or management systems.  \n* **Impacting Economies/Users:** Stealing creator assets beyond documented APIs, manipulating live economies (mass duplication, currency fraud), or hiding exploit activity inside normal traffic.  \n* **Selling/Sharing:** Selling working exploit code to third parties or publicly releasing production-ready chains while unpatched.\n\n# **4\\. Reporting \u0026 Rewards**\n\nWe prioritize clear, technically sound writeups over \"live\" weaponization. When reviewing reports, we consider (1) how easily/realistically exploitable the bug is (the attack scenario) and (2) the security impact on our users and company.\n\n**Required Technical Details:**\n\n* **Version Numbers:** For Client or Studio reports, include the exact version. (In Studio: *File \\\u003e About Roblox Studio*. For Client: Found in the properties of the `.exe` file, typically at `%APPDATA%\\..\\Local\\Roblox\\Versions\\\u003cversion\u003e\\RobloxPlayerBeta.exe`).  \n* **Timestamps:** Report the approximate date, time, and timezone of your most recent test.\n\n**Reasoning-Based Impact (You do not need weaponized RCE for top rewards):**\n\n* You can receive high or maximum rewards for serious issues without a fully weaponized exploit.  \n* You are allowed to explain, in detail, how your primitives could escalate to arbitrary read/write, RCE, or sandbox escapes.  \n* You are allowed to provide call-graph analysis, object lifetime reasoning, mitigation bypass ideas, hypothetical ROP chains, or high-level exploit diagrams.\n\n**Response Targets \u0026 SLAs:** We will endeavor to keep you informed about our progress and meet the following targets:\n\n* Time to first response (from report submit): 3 business days  \n* Time to triage (from report submit): 2-10 business days  \n* Time to bounty (from triage): 20-40 business days\n\n# **5\\. Full Disclosure \u0026 Legal Terms**\n\nWhile we encourage responsible discovery and reporting, the following conduct is expressly prohibited. Violations will result in disqualification from the Bug Bounty Program and, if necessary, referral to law enforcement:\n\n* Disclosing vulnerabilities or suspected vulnerabilities to any other person without explicit Roblox authorization.  \n* Disclosing the contents of any submission to our program without explicit Roblox authorization.  \n* Accessing private information of any person stored on a Roblox product or service.  \n* Sharing or publishing Roblox user data.  \n* Accessing sensitive information (e.g., credentials).  \n* Exfiltrating data (Test only the minimum necessary to validate; we will reward with the impact in mind).  \n* Conducting any kind of physical attack on Roblox personnel, property, or data centers.  \n* Violating any laws or regulations or breaching any agreements in order to discover vulnerabilities.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-04T01:00:22.390Z"},{"id":3770531,"new_policy":"# **Our Mission**\n\nRoblox’s vision is to reimagine the way people come together, and our mission is to connect a billion people every day with optimism and civility in a shared 3D experience. Our platform empowers people of all ages to imagine, create, and play together in immersive, user-generated worlds.  \nWe recognize the important role that our user community and a community of security researchers play in helping to keep Roblox and our community safe. If you think you’ve found a security issue on any of the scopes we have listed, please inform us via our program on HackerOne using the guidelines below.  \nRoblox reserves the right to choose to address or not address any reported vulnerabilities. When reporting vulnerabilities, please consider:\n\n1. How easily/realistically exploitable the bug is (what’s the attack scenario?\n2. What is the security impact of the bug to our users and company?\n\nIf a bug is not easily exploitable or does not have a significant security impact to our platform and users, we may not accept it or we may decrease the overall severity and/or payout to how impactful it is. This often comes into play in differences in our in-scope assets and how impactful they may be to our overall user facing products and platform.\n\n# **Program Essentials**\n\n**🚨 STOP. READ THIS. DO NOT SKIM. 🚨**\n\n**What you must ALWAYS do:**\n\n* Test only on your own accounts, devices, and clearly marked private/test experiences.  \n* Include the string \"hackeronetest-\\\u003cyour-roblox-userid\\\u003e\" at the end of your user agent so we can easily identify traffic that is coming from the bug bounty program.  \n* Test with the minimum necessary actions to validate a vulnerability.  \n* Report all findings exclusively through HackerOne.  \n* Follow HackerOne’s disclosure guidelines.\n\n**What you must NEVER do:**\n\n* Exfiltrate, share, publish, or modify the data of other Roblox users or employees.  \n* Attempt social engineering (phishing, vishing, smishing) or physical attacks.  \n* Perform volumetric Denial of Service (DoS), DDoS, or spam attacks.  \n* Develop or test fully weaponized RCE chains against production clients.  \n* Distribute exploit executors, cheats, or bypass frameworks.  \n* Violate any laws, regulations, or agreements during your testing.\n\n# **2\\. Core Rules (Applies to All Reports)**\n\n## **2.1 Participation \u0026 Eligibility**\n\n* Current \u0026 former Roblox employees and their family members are not eligible for bounties.  \n* Recently disclosed 0-day vulnerabilities are not eligible unless you have a working PoC exploit.\n\n## **2.2 Handling Data (Users \u0026 Employees)**\n\nYour participation generally prohibits you from collecting, accessing, viewing, storing, altering, or otherwise using the data of Roblox users.\n\n* Localize testing to your own test accounts wherever possible.  \n* If a bug requires touching other users’ data to verify, you must contact us first for guidance.  \n* If private user data is accidentally accessed, notify us immediately.  \n* In exceptional, necessary cases, restrict data use to the absolute minimum amount of users and scope.  \n* Take measures to prevent unauthorized access, alteration, or deletion of any accessed user data.  \n* Do not use accessed data to contact Roblox users for any reason.  \n* Delete any user data from your systems irrevocably after testing (we reserve the right to demand proof).  \n* Infringing data protection laws (including GDPR) can result in program exclusion, reclaimed bounties, substantial fines, and damages.\n\n## **2.3 Safe Testing Rules**\n\n* If you are aware that your attacks may harm the reliability or integrity of our services or data, stop immediately and contact us by submitting a report.  \n* Do NOT contact our customer support team or employees out-of-band to contest or escalate a report. All inquiries must happen on the HackerOne report itself. Repeat offenses will lead to removal from the program.\n\n## **2.4 General Out-of-Scope Vulnerabilities**\n\nThe following vulnerabilities typically will not qualify for a bounty, or may be downrated if the impact is lacking (e.g., low-impact bugs on WordPress sites like blog.roblox.com). Vulnerabilities that are an accepted risk are not eligible for paid bounties.\n\n* Vulnerabilities previously disclosed or known to Roblox/the public.  \n* User account hacks requiring user interaction.  \n* Chat filter bugs.  \n* Missing autocomplete attributes.  \n* Missing flags on cookies that do not house sensitive information.  \n* SSL/TLS scan reports (e.g., SSL Labs output) and version-related vulnerabilities.  \n* Missing security-related HTTP headers that do not lead directly to a vulnerability.  \n* Issues affecting a small user base (e.g., outdated browsers/software).  \n* Volumetric DDoS/DoS/Spam attacks (*Note: Data model vulnerabilities used by exploiters to crash game servers ARE in scope and encouraged*).  \n* CSRF with minimal security implications (Login/logout/unauthenticated).  \n* Version information disclosure without an actual exploitable vulnerability.  \n* Password complexity-related vulnerabilities.  \n* Unverified or incomplete scanner output.  \n* Vulnerabilities requiring physical access to an unlocked device.  \n* Bugs requiring exceedingly unlikely user interaction.  \n* Disclosure of public domain information or info lacking significant risk.  \n* Language used in emails and policy documents.  \n* SPF, DKIM, or DMARC issues on sub-domains of roblox.com.  \n* HTML injection vulnerabilities with no direct risk.  \n* Social engineering or link-following vulnerabilities.  \n* Self-XSS or similar vulnerabilities.  \n* Vulnerabilities on `*.ra.roblox.com` that do not affect release servers.  \n* Beta/early access vulnerabilities not in HackerOne bounty program (unless explicitly stated, beta feedback does not guarantee a bounty).\n\n# **3\\. Additional Guidance**\n\n*(Note for formatting: This will be wrapped in `\u003cdetails\u003e` and `\u003csummary\u003e` tags on HackerOne to create the dropdown effect).*\n\n## **Exploit Development \u0026 RCE**\n\n**Summary:** Rules for memory corruption, RCE chains, sandbox escapes, and exploit tooling. **Who should read this?** Researchers doing client exploitation, RCE, or deep exploit work.\n\n**What is Allowed (Public Bug Bounty):**\n\n* **Minimal PoCs:** Reliably reproduce the vulnerability (crash, assertion, benign object corruption). Demonstrate clear security impact (control over a pointer, predictable structure corruption).  \n* **Safe Execution:** Cause controlled memory corruption or use-after-free on a test object. Influence data writing without a full chain. Prove primitives (info leak, type confusion) work as described.  \n* **Limited Exploitation:** Demonstrate control over program state (influencing a return address, vtable) as long as you don’t execute OS commands, persist access, or alter user state.\n\n**What Is Prohibited (Without Explicit Written Authorization):**\n\n* **Fully Weaponized RCE:** Developing reliable chains against production clients that execute arbitrary code (shell commands, DLL injection), act as real-world attacks, or integrate into cheat frameworks.  \n* **Tooling:** Creating telemetry bypass frameworks. Automating exploit deployment (mass scripts).  \n* **Targeting Backends:** Testing exploits aimed at Roblox Compute Cloud (RCC) servers, control-plane, or management systems.  \n* **Impacting Economies/Users:** Stealing creator assets beyond documented APIs, manipulating live economies (mass duplication, currency fraud), or hiding exploit activity inside normal traffic.  \n* **Selling/Sharing:** Selling working exploit code to third parties or publicly releasing production-ready chains while unpatched.\n\n# **4\\. Reporting \u0026 Rewards**\n\nWe prioritize clear, technically sound writeups over \"live\" weaponization. When reviewing reports, we consider (1) how easily/realistically exploitable the bug is (the attack scenario) and (2) the security impact on our users and company.\n\n**Required Technical Details:**\n\n* **Version Numbers:** For Client or Studio reports, include the exact version. (In Studio: *File \\\u003e About Roblox Studio*. For Client: Found in the properties of the `.exe` file, typically at `%APPDATA%\\..\\Local\\Roblox\\Versions\\\u003cversion\u003e\\RobloxPlayerBeta.exe`).  \n* **Timestamps:** Report the approximate date, time, and timezone of your most recent test.\n\n**Reasoning-Based Impact (You do not need weaponized RCE for top rewards):**\n\n* You can receive high or maximum rewards for serious issues without a fully weaponized exploit.  \n* You are allowed to explain, in detail, how your primitives could escalate to arbitrary read/write, RCE, or sandbox escapes.  \n* You are allowed to provide call-graph analysis, object lifetime reasoning, mitigation bypass ideas, hypothetical ROP chains, or high-level exploit diagrams.\n\n**Response Targets \u0026 SLAs:** We will endeavor to keep you informed about our progress and meet the following targets:\n\n* Time to first response (from report submit): 3 business days  \n* Time to triage (from report submit): 2-10 business days  \n* Time to bounty (from triage): 20-40 business days\n\n# **5\\. Full Disclosure \u0026 Legal Terms**\n\nWhile we encourage responsible discovery and reporting, the following conduct is expressly prohibited. Violations will result in disqualification from the Bug Bounty Program and, if necessary, referral to law enforcement:\n\n* Disclosing vulnerabilities or suspected vulnerabilities to any other person without explicit Roblox authorization.  \n* Disclosing the contents of any submission to our program without explicit Roblox authorization.  \n* Accessing private information of any person stored on a Roblox product or service.  \n* Sharing or publishing Roblox user data.  \n* Accessing sensitive information (e.g., credentials).  \n* Exfiltrating data (Test only the minimum necessary to validate; we will reward with the impact in mind).  \n* Conducting any kind of physical attack on Roblox personnel, property, or data centers.  \n* Violating any laws or regulations or breaching any agreements in order to discover vulnerabilities.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-04T01:00:11.057Z"},{"id":3713865,"new_policy":"## Policy\n#### Our Mission\nRoblox is ushering in the next generation of entertainment, allowing kids of all ages to imagine, create, and play together in an immersive, user-generated 3D world. We call it the “Imagination Platform” and invite everyone to play on it.\nWe recognize the important role that our user community and a community of security researchers play in helping to keep Roblox and our community safe. If you think you’ve found a security issue on any of the scopes we have listed, please inform us via our program on HackerOne using the guidelines below. \nRoblox reserves the right to choose to address or not address any reported vulnerabilities. When reporting vulnerabilities, please consider (1) how easily/realistically exploitable the bug is (what’s the attack scenario?) and (2) what is the security impact of the bug to our users and company? If a bug is not easily exploitable or does not have a significant security impact to our platform and users, we may not accept it or we may decrease the overall severity and/or payout to how impactful it is. This often comes into play in differences in our in-scope assets and how impactful they may be to our overall user facing products and platform.\n \n#### Program Rules\nTo participate in Roblox’s **security bug bounty program**, we request that you abide by the following rules. These are fairly standard requirements for most programs, but if you have any questions or feedback on these rules, please let us know at support@hackerone.com. (please do not submit bugs to this alias).\nRoblox reserves the right to modify the terms of this policy at any time.\n \n##### Handling Data\n* Your participation in the Roblox bug bounty program generally prohibits you from collecting, accessing, viewing, storing, altering or otherwise using data of Roblox users.\n* While testing, take measures to avoid accessing user data or affecting other users’ experiences. Please localize testing to your own test accounts wherever possible. If private user data is accessed during your security testing, please notify us immediately.\n* If you have found an issue that may require touching other users’ data to verify, please contact us first for guidance on how to safely test for such issues.\n*  In exceptional cases in which data of Roblox users is accessed and used for the security testing please restrict the data use to the extent that is crucially necessary to conduct proper security testing. This particularly means that you only use user data of very few Roblox users and that you limit the amount of the specific user data to the scope that is necessary for the specific testing measure.\n* In case of accessing user data for testing purposes, please ensure to take measures to prevent unauthorized access, alteration or deletion of the user data. You may not use the user data for any purposes other than participating in the Roblox bug bounty program and conducting the security testing.\n* You may not use the user data accessed during the security testing to contact Roblox users for any reason; including informing them about the security testing.\n* After completing the testing, you must delete any user data from your systems irrevocably. We reserve the right to demand proof of proper deletion.\n* You must refrain from sharing user data with others or publish user data.\n* A violation of these data protection obligations may lead to exclusion from the bug bounty program. In the event of infringement, Roblox reserves the right to reclaim already awarded bounties. Infringing data protection laws, including the European General Data Protection Regulation (GDPR), can result in substantial fines and/or users may be entitled to damages.\n \n##### Testing\n* If you are aware that your attacks may harm the reliability or integrity of our services or data, stop immediately and contact us\n* Vulnerabilities found through DDoS/spam attacks are not allowed\n* Never attempt non-technical attacks such as social engineering (e.g. phishing, vishing, smishing) or physical attacks against our employees, users, or infrastructure\n* Recently disclosed 0-day vulnerabilities are not eligible, unless you have a working poc exploit.\n* Follow HackerOne’s disclosure guidelines\n* When testing, please include the string \"hackeronetest-\u003cyour-roblox-userid\u003e\" at the end of your user agent so we can more easily identify traffic that is coming from the bug bounty program.\n* For any report involving the Roblox Client or Roblox Studio, include the version\n* In Studio, click File \u003e About Roblox Studio\n* For client, the version is shown in the properties of the exe file, normally located at %APPDATA%..\\Local\\Roblox\\Versions\u003cversion\u003e\\RobloxPlayerBeta.exe. There are typically two folders, one for client, one for studio.\n* Report the approximate date/time/timezone of the most recent test of the issue\n* Please do NOT contact our customer support team or employees out of band to contest or escalate a report; all inquiries should happen on the report itself. Failure to follow this rule may result in a bounty not being paid out and repeat offenses can lead to removal from the bug bounty program\n \n#### Response Targets\nRoblox will endeavor to meet the following SLAs for hackers participating in our program:\n* Time to first response (from report submit): 3 business days\n* Time to triage (from report submit): 2-10 business days\n* Time to bounty (from triage): 20-40 business days\n* We’ll try to keep you informed about our progress throughout the process\n \n#### Disclosure Policy\nWhile we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited and will result in disqualification from the Bug Bounty Program and, if necessary, referral of your conduct to law enforcement:\n* Disclosing any vulnerabilities or suspected vulnerabilities you discover to any other person without explicit Roblox authorization\n* Disclosing the contents of any submission to our program without explicit Roblox authorization\n* Accessing private information of any person stored on a Roblox product or service – You must use test accounts\n* Sharing or publishing Roblox user data\n* Accessing sensitive information (e.g. credentials)\n* Performing actions that may negatively affect Roblox or its users (e.g. Spam, Brute force, Denial of Service)\n* Conducting any kind of physical attack on Roblox personnel, property or data centers\n* Social engineering any Roblox help desk, employee or contractor\n* Exfiltrating data. Please test only the minimum necessary to validate a vulnerability (we can verify if data exfiltration would be possible from a vulnerability, and will reward with the impact in mind)\n* Violating any laws or regulations or breaching any agreements in order to discover vulnerabilities\n \n#### Out-of-scope Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) how easily/realistically exploitable the bug is (what’s the attack scenario?) and (2) what is the security impact of the bug? If a bug is not easily exploitable or does not have a significant security impact, it is less likely to qualify for a bounty or may have a lower pay out.  For example, low impact vulnerabilities on our word press sites such as blog.roblox.com or similar sites that are in scope, may be downrated in severity if the impact is lacking.\nThe following vulnerabilities typically will not qualify for Roblox’s program:\n* Vulnerabilities previously disclosed through the program or otherwise known to Roblox or to the public\n* User account hacks that require user interaction\n* Chat filter bugs\n* Missing autocomplete attributes\n* Missing flags on cookies that don’t house any sensitive information\n* SSL/TLS scan reports (this means output from sites such as SSL Labs) and SSL/TLS version related vulnerabilities\n* Missing security-related HTTP headers which do not lead directly to a vulnerability. Issues that only affect a smaller user base (e.g. users on outdated browsers or other outdated software).\n* Vulnerabilities that are used for volumetric DDoS/DoS/Spam attacks are out of scope. But the vulnerabilities in the Roblox data model, which can be used by exploiters specifically for crashing the game servers, is strongly encouraged to be reported.   \n* Cross-site Request Forgery (CSRF) with minimal security implications (Login/logout/unauthenticated)\n* Version information disclosure (without verifying the presence of an actual exploitable vulnerability)\n* Password complexity related vulnerabilities\n* Unverified or incomplete \"Scanner output\" or scanner-generated reports\n* Vulnerabilities requiring physical access to the victim's unlocked device\n* Bugs requiring exceedingly unlikely user interaction\n* Disclosure of information already in public domain or information previously disclosed by Roblox\n* Disclosure of public information and information that does not present significant risk\n* Vulnerabilities that Roblox determines to be an accepted risk will not be eligible for a paid bounty\n* Language used in emails and policy documents\n* SPF, DKIM or DMARC issues on sub-domains of roblox.com\n* HTML injection vulnerabilities with no direct risk\n* Social engineering or following a link will not be considered for bounty\n* Self XSS or similar vulnerabilities\n* Vulnerabilities found on *.ra.roblox.com that do not affect release servers\n* Vulnerabilities from beta / early access that are not in a private hackerone bounty program may be out of scope, up to the discretion of Roblox. Unless otherwise stated, being invited to give feedback to a beta feature does not guarantee you will be paid bounties for said feedback.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-08T20:53:08.713Z"},{"id":3713864,"new_policy":"## Policy\n#### Our Mission\nRoblox is ushering in the next generation of entertainment, allowing kids of all ages to imagine, create, and play together in an immersive, user-generated 3D world. We call it the “Imagination Platform” and invite everyone to play on it.\nWe recognize the important role that our user community and a community of security researchers play in helping to keep Roblox and our community safe. If you think you’ve found a security issue on any of the scopes we have listed, please inform us via our program on HackerOne using the guidelines below. \nRoblox reserves the right to choose to address or not address any reported vulnerabilities. When reporting vulnerabilities, please consider (1) how easily/realistically exploitable the bug is (what’s the attack scenario?) and (2) what is the security impact of the bug to our users and company? If a bug is not easily exploitable or does not have a significant security impact to our platform and users, we may not accept it or we may decrease the overall severity and/or payout to how impactful it is. This often comes into play in differences in our in scope site assets and how impactful they may be to our overall user facing products and platform.\n \n#### Program Rules\nTo participate in Roblox’s **security bug bounty program**, we request that you abide by the following rules. These are fairly standard requirements for most programs, but if you have any questions or feedback on these rules, please let us know at support@hackerone.com. (please do not submit bugs to this alias).\nRoblox reserves the right to modify the terms of this policy at any time.\n \n##### Handling Data\n* Your participation in the Roblox bug bounty program generally prohibits you from collecting, accessing, viewing, storing, altering or otherwise using data of Roblox users.\n* While testing, take measures to avoid accessing user data or affecting other users’ experiences. Please localize testing to your own test accounts wherever possible. If private user data is accessed during your security testing, please notify us immediately.\n* If you have found an issue that may require touching other users’ data to verify, please contact us first for guidance on how to safely test for such issues.\n*  In exceptional cases in which data of Roblox users is accessed and used for the security testing please restrict the data use to the extent that is crucially necessary to conduct proper security testing. This particularly means that you only use user data of very few Roblox users and that you limit the amount of the specific user data to the scope that is necessary for the specific testing measure.\n* In case of accessing user data for testing purposes, please ensure to take measures to prevent unauthorized access, alteration or deletion of the user data. You may not use the user data for any purposes other than participating in the Roblox bug bounty program and conducting the security testing.\n* You may not use the user data accessed during the security testing to contact Roblox users for any reason; including informing them about the security testing.\n* After completing the testing, you must delete any user data from your systems irrevocably. We reserve the right to demand proof of proper deletion.\n* You must refrain from sharing user data with others or publish user data.\n* A violation of these data protection obligations may lead to exclusion from the bug bounty program. In the event of infringement, Roblox reserves the right to reclaim already awarded bounties. Infringing data protection laws, including the European General Data Protection Regulation (GDPR), can result in substantial fines and/or users may be entitled to damages.\n \n##### Testing\n* If you are aware that your attacks may harm the reliability or integrity of our services or data, stop immediately and contact us\n* Vulnerabilities found through DDoS/spam attacks are not allowed\n* Never attempt non-technical attacks such as social engineering (e.g. phishing, vishing, smishing) or physical attacks against our employees, users, or infrastructure\n* Recently disclosed 0-day vulnerabilities are not eligible, unless you have a working poc exploit.\n* Follow HackerOne’s disclosure guidelines\n* When testing, please include the string \"hackeronetest-\u003cyour-roblox-userid\u003e\" at the end of your user agent so we can more easily identify traffic that is coming from the bug bounty program.\n* For any report involving the Roblox Client or Roblox Studio, include the version\n* In Studio, click File \u003e About Roblox Studio\n* For client, the version is shown in the properties of the exe file, normally located at %APPDATA%..\\Local\\Roblox\\Versions\u003cversion\u003e\\RobloxPlayerBeta.exe. There are typically two folders, one for client, one for studio.\n* Report the approximate date/time/timezone of the most recent test of the issue\n* Please do NOT contact our customer support team or employees out of band to contest or escalate a report; all inquiries should happen on the report itself. Failure to follow this rule may result in a bounty not being paid out and repeat offenses can lead to removal from the bug bounty program\n \n#### Response Targets\nRoblox will endeavor to meet the following SLAs for hackers participating in our program:\n* Time to first response (from report submit): 3 business days\n* Time to triage (from report submit): 2-10 business days\n* Time to bounty (from triage): 20-40 business days\n* We’ll try to keep you informed about our progress throughout the process\n \n#### Disclosure Policy\nWhile we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited and will result in disqualification from the Bug Bounty Program and, if necessary, referral of your conduct to law enforcement:\n* Disclosing any vulnerabilities or suspected vulnerabilities you discover to any other person without explicit Roblox authorization\n* Disclosing the contents of any submission to our program without explicit Roblox authorization\n* Accessing private information of any person stored on a Roblox product or service – You must use test accounts\n* Sharing or publishing Roblox user data\n* Accessing sensitive information (e.g. credentials)\n* Performing actions that may negatively affect Roblox or its users (e.g. Spam, Brute force, Denial of Service)\n* Conducting any kind of physical attack on Roblox personnel, property or data centers\n* Social engineering any Roblox help desk, employee or contractor\n* Exfiltrating data. Please test only the minimum necessary to validate a vulnerability (we can verify if data exfiltration would be possible from a vulnerability, and will reward with the impact in mind)\n* Violating any laws or regulations or breaching any agreements in order to discover vulnerabilities\n \n#### Out-of-scope Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) how easily/realistically exploitable the bug is (what’s the attack scenario?) and (2) what is the security impact of the bug? If a bug is not easily exploitable or does not have a significant security impact, it is less likely to qualify for a bounty or may have a lower pay out.  For example, low impact vulnerabilities on our word press sites such as blog.roblox.com or similar sites that are in scope, may be downrated in severity if the impact is lacking.\nThe following vulnerabilities typically will not qualify for Roblox’s program:\n* Vulnerabilities previously disclosed through the program or otherwise known to Roblox or to the public\n* User account hacks that require user interaction\n* Chat filter bugs\n* Missing autocomplete attributes\n* Missing flags on cookies that don’t house any sensitive information\n* SSL/TLS scan reports (this means output from sites such as SSL Labs) and SSL/TLS version related vulnerabilities\n* Missing security-related HTTP headers which do not lead directly to a vulnerability. Issues that only affect a smaller user base (e.g. users on outdated browsers or other outdated software).\n* Vulnerabilities that are used for volumetric DDoS/DoS/Spam attacks are out of scope. But the vulnerabilities in the Roblox data model, which can be used by exploiters specifically for crashing the game servers, is strongly encouraged to be reported.   \n* Cross-site Request Forgery (CSRF) with minimal security implications (Login/logout/unauthenticated)\n* Version information disclosure (without verifying the presence of an actual exploitable vulnerability)\n* Password complexity related vulnerabilities\n* Unverified or incomplete \"Scanner output\" or scanner-generated reports\n* Vulnerabilities requiring physical access to the victim's unlocked device\n* Bugs requiring exceedingly unlikely user interaction\n* Disclosure of information already in public domain or information previously disclosed by Roblox\n* Disclosure of public information and information that does not present significant risk\n* Vulnerabilities that Roblox determines to be an accepted risk will not be eligible for a paid bounty\n* Language used in emails and policy documents\n* SPF, DKIM or DMARC issues on sub-domains of roblox.com\n* HTML injection vulnerabilities with no direct risk\n* Social engineering or following a link will not be considered for bounty\n* Self XSS or similar vulnerabilities\n* Vulnerabilities found on *.ra.roblox.com that do not affect release servers\n* Vulnerabilities from beta / early access that are not in a private hackerone bounty program may be out of scope, up to the discretion of Roblox. Unless otherwise stated, being invited to give feedback to a beta feature does not guarantee you will be paid bounties for said feedback.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-08T20:50:36.929Z"},{"id":3680716,"new_policy":"## Policy\n#### Our Mission\nRoblox is ushering in the next generation of entertainment, allowing kids of all ages to imagine, create, and play together in an immersive, user-generated 3D world. We call it the “Imagination Platform” and invite everyone to play on it.\nWe recognize the important role that our user community and a community of security researchers play in helping to keep Roblox and our community safe. If you think you’ve found a security issue on any of the scopes we have listed, please inform us via our program on HackerOne using the guidelines below. \nRoblox reserves the right to choose to address or not address any reported vulnerabilities.\n \n#### Program Rules\nTo participate in Roblox’s **security bug bounty program**, we request that you abide by the following rules. These are fairly standard requirements for most programs, but if you have any questions or feedback on these rules, please let us know at support@hackerone.com. (please do not submit bugs to this alias).\nRoblox reserves the right to modify the terms of this policy at any time.\n \n##### Handling Data\n* Your participation in the Roblox bug bounty program generally prohibits you from collecting, accessing, viewing, storing, altering or otherwise using data of Roblox users.\n* While testing, take measures to avoid accessing user data or affecting other users’ experiences. Please localize testing to your own test accounts wherever possible. If private user data is accessed during your security testing, please notify us immediately.\n* If you have found an issue that may require touching other users’ data to verify, please contact us first for guidance on how to safely test for such issues.\n*  In exceptional cases in which data of Roblox users is accessed and used for the security testing please restrict the data use to the extent that is crucially necessary to conduct proper security testing. This particularly means that you only use user data of very few Roblox users and that you limit the amount of the specific user data to the scope that is necessary for the specific testing measure.\n* In case of accessing user data for testing purposes, please ensure to take measures to prevent unauthorized access, alteration or deletion of the user data. You may not use the user data for any purposes other than participating in the Roblox bug bounty program and conducting the security testing.\n* You may not use the user data accessed during the security testing to contact Roblox users for any reason; including informing them about the security testing.\n* After completing the testing, you must delete any user data from your systems irrevocably. We reserve the right to demand proof of proper deletion.\n* You must refrain from sharing user data with others or publish user data.\n* A violation of these data protection obligations may lead to exclusion from the bug bounty program. In the event of infringement, Roblox reserves the right to reclaim already awarded bounties. Infringing data protection laws, including the European General Data Protection Regulation (GDPR), can result in substantial fines and/or users may be entitled to damages.\n \n##### Testing\n* If you are aware that your attacks may harm the reliability or integrity of our services or data, stop immediately and contact us\n* Vulnerabilities found through DDoS/spam attacks are not allowed\n* Never attempt non-technical attacks such as social engineering (e.g. phishing, vishing, smishing) or physical attacks against our employees, users, or infrastructure\n* Recently disclosed 0-day vulnerabilities are not eligible, unless you have a working poc exploit.\n* Follow HackerOne’s disclosure guidelines\n* When testing, please include the string \"hackeronetest-\u003cyour-roblox-userid\u003e\" at the end of your user agent so we can more easily identify traffic that is coming from the bug bounty program.\n* For any report involving the Roblox Client or Roblox Studio, include the version\n* In Studio, click File \u003e About Roblox Studio\n* For client, the version is shown in the properties of the exe file, normally located at %APPDATA%..\\Local\\Roblox\\Versions\u003cversion\u003e\\RobloxPlayerBeta.exe. There are typically two folders, one for client, one for studio.\n* Report the approximate date/time/timezone of the most recent test of the issue\n* Please do NOT contact our customer support team or employees out of band to contest or escalate a report; all inquiries should happen on the report itself. Failure to follow this rule may result in a bounty not being paid out and repeat offenses can lead to removal from the bug bounty program\n \n#### Response Targets\nRoblox will endeavor to meet the following SLAs for hackers participating in our program:\n* Time to first response (from report submit): 3 business days\n* Time to triage (from report submit): 2-10 business days\n* Time to bounty (from triage): 20-40 business days\n* We’ll try to keep you informed about our progress throughout the process\n \n#### Disclosure Policy\nWhile we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited and will result in disqualification from the Bug Bounty Program and, if necessary, referral of your conduct to law enforcement:\n* Disclosing any vulnerabilities or suspected vulnerabilities you discover to any other person without explicit Roblox authorization\n* Disclosing the contents of any submission to our program without explicit Roblox authorization\n* Accessing private information of any person stored on a Roblox product or service – You must use test accounts\n* Sharing or publishing Roblox user data\n* Accessing sensitive information (e.g. credentials)\n* Performing actions that may negatively affect Roblox or its users (e.g. Spam, Brute force, Denial of Service)\n* Conducting any kind of physical attack on Roblox personnel, property or data centers\n* Social engineering any Roblox help desk, employee or contractor\n* Exfiltrating data. Please test only the minimum necessary to validate a vulnerability (we can verify if data exfiltration would be possible from a vulnerability, and will reward with the impact in mind)\n* Violating any laws or regulations or breaching any agreements in order to discover vulnerabilities\n \n#### Out-of-scope Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) how easily/realistically exploitable the bug is (what’s the attack scenario?) and (2) what is the security impact of the bug? If a bug is not easily exploitable or does not have a significant security impact, it is less likely to qualify for a bounty or may have a lower pay out.  For example, low impact vulnerabilities on our word press sites such as blog.roblox.com or similar sites that are in scope, may be downrated in severity if the impact is lacking.\nThe following vulnerabilities typically will not qualify for Roblox’s program:\n* Vulnerabilities previously disclosed through the program or otherwise known to Roblox or to the public\n* User account hacks that require user interaction\n* Chat filter bugs\n* Missing autocomplete attributes\n* Missing flags on cookies that don’t house any sensitive information\n* SSL/TLS scan reports (this means output from sites such as SSL Labs) and SSL/TLS version related vulnerabilities\n* Missing security-related HTTP headers which do not lead directly to a vulnerability. Issues that only affect a smaller user base (e.g. users on outdated browsers or other outdated software).\n* Vulnerabilities that are used for volumetric DDoS/DoS/Spam attacks are out of scope. But the vulnerabilities in the Roblox data model, which can be used by exploiters specifically for crashing the game servers, is strongly encouraged to be reported.   \n* Cross-site Request Forgery (CSRF) with minimal security implications (Login/logout/unauthenticated)\n* Version information disclosure (without verifying the presence of an actual exploitable vulnerability)\n* Password complexity related vulnerabilities\n* Unverified or incomplete \"Scanner output\" or scanner-generated reports\n* Vulnerabilities requiring physical access to the victim's unlocked device\n* Bugs requiring exceedingly unlikely user interaction\n* Disclosure of information already in public domain or information previously disclosed by Roblox\n* Disclosure of public information and information that does not present significant risk\n* Vulnerabilities that Roblox determines to be an accepted risk will not be eligible for a paid bounty\n* Language used in emails and policy documents\n* SPF, DKIM or DMARC issues on sub-domains of roblox.com\n* HTML injection vulnerabilities with no direct risk\n* Social engineering or following a link will not be considered for bounty\n* Self XSS or similar vulnerabilities\n* Vulnerabilities found on *.ra.roblox.com that do not affect release servers\n* Vulnerabilities from beta / early access that are not in a private hackerone bounty program may be out of scope, up to the discretion of Roblox. Unless otherwise stated, being invited to give feedback to a beta feature does not guarantee you will be paid bounties for said feedback.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-12-06T22:44:53.580Z"},{"id":3680221,"new_policy":"## Policy\n#### Our Mission\nRoblox is ushering in the next generation of entertainment, allowing kids of all ages to imagine, create, and play together in an immersive, user-generated 3D world. We call it the “Imagination Platform” and invite everyone to play on it.\nWe recognize the important role that our user community and a community of security researchers play in helping to keep Roblox and our community safe. If you think you’ve found a security issue on any of the scopes we have listed, please inform us via our program on HackerOne using the guidelines below. \nRoblox reserves the right to choose to address or not address any reported vulnerabilities.\n \n#### Program Rules\nTo participate in Roblox’s **security bug bounty program**, we request that you abide by the following rules. These are fairly standard requirements for most programs, but if you have any questions or feedback on these rules, please let us know at support@hackerone.com. (please do not submit bugs to this alias).\nRoblox reserves the right to modify the terms of this policy at any time.\n \n##### Handling Data\n* Your participation in the Roblox bug bounty program generally prohibits you from collecting, accessing, viewing, storing, altering or otherwise using data of Roblox users.\n* While testing, take measures to avoid accessing user data or affecting other users’ experiences. Please localize testing to your own test accounts wherever possible. If private user data is accessed during your security testing, please notify us immediately.\n* If you have found an issue that may require touching other users’ data to verify, please contact us first for guidance on how to safely test for such issues.\n*  In exceptional cases in which data of Roblox users is accessed and used for the security testing please restrict the data use to the extent that is crucially necessary to conduct proper security testing. This particularly means that you only use user data of very few Roblox users and that you limit the amount of the specific user data to the scope that is necessary for the specific testing measure.\n* In case of accessing user data for testing purposes, please ensure to take measures to prevent unauthorized access, alteration or deletion of the user data. You may not use the user data for any purposes other than participating in the Roblox bug bounty program and conducting the security testing.\n* You may not use the user data accessed during the security testing to contact Roblox users for any reason; including informing them about the security testing.\n* After completing the testing, you must delete any user data from your systems irrevocably. We reserve the right to demand proof of proper deletion.\n* You must refrain from sharing user data with others or publish user data.\n* A violation of these data protection obligations may lead to exclusion from the bug bounty program. In the event of infringement, Roblox reserves the right to reclaim already awarded bounties. Infringing data protection laws, including the European General Data Protection Regulation (GDPR), can result in substantial fines and/or users may be entitled to damages.\n \n##### Testing\n* If you are aware that your attacks may harm the reliability or integrity of our services or data, stop immediately and contact us\n* Vulnerabilities found through DDoS/spam attacks are not allowed\n* Never attempt non-technical attacks such as social engineering (e.g. phishing, vishing, smishing) or physical attacks against our employees, users, or infrastructure\n* Recently disclosed 0-day vulnerabilities are not eligible, unless you have a working poc exploit.\n* Follow HackerOne’s disclosure guidelines\n* When testing, please include the string \"hackeronetest-\u003cyour-roblox-userid\u003e\" at the end of your user agent so we can more easily identify traffic that is coming from the bug bounty program.\n* For any report involving the Roblox Client or Roblox Studio, include the version\n* In Studio, click File \u003e About Roblox Studio\n* For client, the version is shown in the properties of the exe file, normally located at %APPDATA%..\\Local\\Roblox\\Versions\u003cversion\u003e\\RobloxPlayerBeta.exe. There are typically two folders, one for client, one for studio.\n* Report the approximate date/time/timezone of the most recent test of the issue\n* Please do NOT contact our customer support team or employees out of band to contest or escalate a report; all inquiries should happen on the report itself. Failure to follow this rule may result in a bounty not being paid out and repeat offenses can lead to removal from the bug bounty program\n \n#### Response Targets\nRoblox will endeavor to meet the following SLAs for hackers participating in our program:\n* Time to first response (from report submit): 3 business days\n* Time to triage (from report submit): 2-10 business days\n* Time to bounty (from triage): 20-40 business days\n* We’ll try to keep you informed about our progress throughout the process\n \n#### Disclosure Policy\nWhile we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited and will result in disqualification from the Bug Bounty Program and, if necessary, referral of your conduct to law enforcement:\n* Disclosing any vulnerabilities or suspected vulnerabilities you discover to any other person without explicit Roblox authorization\n* Disclosing the contents of any submission to our program without explicit Roblox authorization\n* Accessing private information of any person stored on a Roblox product or service – You must use test accounts\n* Sharing or publishing Roblox user data\n* Accessing sensitive information (e.g. credentials)\n* Performing actions that may negatively affect Roblox or its users (e.g. Spam, Brute force, Denial of Service)\n* Conducting any kind of physical attack on Roblox personnel, property or data centers\n* Social engineering any Roblox help desk, employee or contractor\n* Exfiltrating data. Please test only the minimum necessary to validate a vulnerability (we can verify if data exfiltration would be possible from a vulnerability, and will reward with the impact in mind)\n* Violating any laws or regulations or breaching any agreements in order to discover vulnerabilities\n \n#### Out-of-scope Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) how easily/realistically exploitable the bug is (what’s the attack scenario?) and (2) what is the security impact of the bug? If a bug is not easily exploitable or does not have a significant security impact, it is less likely to qualify for a bounty or may have a lower pay out.  For example, low impact vulnerabilities on our word press sites such as blog.roblox.com or similar sites that are in scope, may be downrated in severity if the impact is lacking.\nThe following vulnerabilities typically will not qualify for Roblox’s program:\n* Vulnerabilities previously disclosed through the program or otherwise known to Roblox or to the public\n* User account hacks that require user interaction\n* Chat filter bugs\n* Missing autocomplete attributes\n* Missing flags on cookies that don’t house any sensitive information\n* SSL/TLS scan reports (this means output from sites such as SSL Labs) and SSL/TLS version related vulnerabilities\n* Missing security-related HTTP headers which do not lead directly to a vulnerability. Issues that only affect a smaller user base (e.g. users on outdated browsers or other outdated software).\n* Vulnerabilities that are used for volumetric DDoS/DoS/Spam attacks are out of scope. But the vulnerabilities in the Roblox data model, which can be used by exploiters specifically for crashing the game servers, is strongly encouraged to be reported.   \n* Cross-site Request Forgery (CSRF) with minimal security implications (Login/logout/unauthenticated)\n* Version information disclosure (without verifying the presence of an actual exploitable vulnerability)\n* Password complexity related vulnerabilities\n* Unverified or incomplete \"Scanner output\" or scanner-generated reports\n* Vulnerabilities requiring physical access to the victim's unlocked device\n* Bugs requiring exceedingly unlikely user interaction\n* Disclosure of information already in public domain or information previously disclosed by Roblox\n* Disclosure of public information and information that does not present significant risk\n* Vulnerabilities that Roblox determines to be an accepted risk will not be eligible for a paid bounty\n* Language used in emails and policy documents\n* SPF, DKIM or DMARC issues on sub-domains of roblox.com\n* HTML injection vulnerabilities with no direct risk\n* Social engineering or following a link will not be considered for bounty\n* Self XSS or similar vulnerabilities\n* Vulnerabilities found on *.ra.roblox.com that do not affect release servers\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-11-22T18:11:12.923Z"},{"id":3679618,"new_policy":"## Policy\n#### Our Mission\nRoblox is ushering in the next generation of entertainment, allowing kids of all ages to imagine, create, and play together in an immersive, user-generated 3D world. We call it the “Imagination Platform” and invite everyone to play on it.\nWe recognize the important role that our user community and a community of security researchers play in helping to keep Roblox and our community safe. If you think you’ve found a security issue on any of the scopes we have listed, please inform us via our program on HackerOne using the guidelines below. \nRoblox reserves the right to choose to address or not address any reported vulnerabilities.\n \n#### Program Rules\nTo participate in Roblox’s **security bug bounty program**, we request that you abide by the following rules. These are fairly standard requirements for most programs, but if you have any questions or feedback on these rules, please let us know at support@hackerone.com. (please do not submit bugs to this alias).\nRoblox reserves the right to modify the terms of this policy at any time.\n \n##### Handling Data\n* Your participation in the Roblox bug bounty program generally prohibits you from collecting, accessing, viewing, storing, altering or otherwise using data of Roblox users.\n* While testing, take measures to avoid accessing user data or affecting other users’ experiences. Please localize testing to your own test accounts wherever possible. If private user data is accessed during your security testing, please notify us immediately.\n* If you have found an issue that may require touching other users’ data to verify, please contact us first for guidance on how to safely test for such issues.\n*  In exceptional cases in which data of Roblox users is accessed and used for the security testing please restrict the data use to the extent that is crucially necessary to conduct proper security testing. This particularly means that you only use user data of very few Roblox users and that you limit the amount of the specific user data to the scope that is necessary for the specific testing measure.\n* In case of accessing user data for testing purposes, please ensure to take measures to prevent unauthorized access, alteration or deletion of the user data. You may not use the user data for any purposes other than participating in the Roblox bug bounty program and conducting the security testing.\n* You may not use the user data accessed during the security testing to contact Roblox users for any reason; including informing them about the security testing.\n* After completing the testing, you must delete any user data from your systems irrevocably. We reserve the right to demand proof of proper deletion.\n* You must refrain from sharing user data with others or publish user data.\n* A violation of these data protection obligations may lead to exclusion from the bug bounty program. In the event of infringement, Roblox reserves the right to reclaim already awarded bounties. Infringing data protection laws, including the European General Data Protection Regulation (GDPR), can result in substantial fines and/or users may be entitled to damages.\n \n##### Testing\n* If you are aware that your attacks may harm the reliability or integrity of our services or data, stop immediately and contact us\n* Vulnerabilities found through DDoS/spam attacks are not allowed\n* Never attempt non-technical attacks such as social engineering (e.g. phishing, vishing, smishing) or physical attacks against our employees, users, or infrastructure\n* Recently disclosed 0-day vulnerabilities are not eligible, unless you have a working poc exploit.\n* Follow HackerOne’s disclosure guidelines\n* When testing, please include the string \"hackeronetest-\u003cyour-roblox-userid\u003e\" at the end of your user agent so we can more easily identify traffic that is coming from the bug bounty program.\n* For any report involving the Roblox Client or Roblox Studio, include the version\n* In Studio, click File \u003e About Roblox Studio\n* For client, the version is shown in the properties of the exe file, normally located at %APPDATA%..\\Local\\Roblox\\Versions\u003cversion\u003e\\RobloxPlayerBeta.exe. There are typically two folders, one for client, one for studio.\n* Report the approximate date/time/timezone of the most recent test of the issue\n* Please do NOT contact our customer support team or employees out of band to contest or escalate a report; all inquiries should happen on the report itself. Failure to follow this rule may result in a bounty not being paid out and repeat offenses can lead to removal from the bug bounty program\n \n#### Response Targets\nRoblox will endeavor to meet the following SLAs for hackers participating in our program:\n* Time to first response (from report submit): 2 business days\n* Time to triage (from report submit): 2-10 business days\n* Time to bounty (from triage): 10-20 business days\n* We’ll try to keep you informed about our progress throughout the process\n \n#### Disclosure Policy\nWhile we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited and will result in disqualification from the Bug Bounty Program and, if necessary, referral of your conduct to law enforcement:\n* Disclosing any vulnerabilities or suspected vulnerabilities you discover to any other person without explicit Roblox authorization\n* Disclosing the contents of any submission to our program without explicit Roblox authorization\n* Accessing private information of any person stored on a Roblox product or service – You must use test accounts\n* Sharing or publishing Roblox user data\n* Accessing sensitive information (e.g. credentials)\n* Performing actions that may negatively affect Roblox or its users (e.g. Spam, Brute force, Denial of Service)\n* Conducting any kind of physical attack on Roblox personnel, property or data centers\n* Social engineering any Roblox help desk, employee or contractor\n* Exfiltrating data. Please test only the minimum necessary to validate a vulnerability (we can verify if data exfiltration would be possible from a vulnerability, and will reward with the impact in mind)\n* Violating any laws or regulations or breaching any agreements in order to discover vulnerabilities\n \n#### Out-of-scope Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) how easily/realistically exploitable the bug is (what’s the attack scenario?) and (2) what is the security impact of the bug? If a bug is not easily exploitable or does not have a significant security impact, it is less likely to qualify for a bounty or may have a lower pay out.  For example, low impact vulnerabilities on our word press sites such as blog.roblox.com or similar sites that are in scope, may be downrated in severity if the impact is lacking.\nThe following vulnerabilities typically will not qualify for Roblox’s program:\n* Vulnerabilities previously disclosed through the program or otherwise known to Roblox or to the public\n* User account hacks that require user interaction\n* Chat filter bugs\n* Missing autocomplete attributes\n* Missing flags on cookies that don’t house any sensitive information\n* SSL/TLS scan reports (this means output from sites such as SSL Labs) and SSL/TLS version related vulnerabilities\n* Missing security-related HTTP headers which do not lead directly to a vulnerability. Issues that only affect a smaller user base (e.g. users on outdated browsers or other outdated software).\n* Vulnerabilities that are used for volumetric DDoS/DoS/Spam attacks are out of scope. But the vulnerabilities in the Roblox data model, which can be used by exploiters specifically for crashing the game servers, is strongly encouraged to be reported.   \n* Cross-site Request Forgery (CSRF) with minimal security implications (Login/logout/unauthenticated)\n* Version information disclosure (without verifying the presence of an actual exploitable vulnerability)\n* Password complexity related vulnerabilities\n* Unverified or incomplete \"Scanner output\" or scanner-generated reports\n* Vulnerabilities requiring physical access to the victim's unlocked device\n* Bugs requiring exceedingly unlikely user interaction\n* Disclosure of information already in public domain or information previously disclosed by Roblox\n* Disclosure of public information and information that does not present significant risk\n* Vulnerabilities that Roblox determines to be an accepted risk will not be eligible for a paid bounty\n* Language used in emails and policy documents\n* SPF, DKIM or DMARC issues on sub-domains of roblox.com\n* HTML injection vulnerabilities with no direct risk\n* Social engineering or following a link will not be considered for bounty\n* Self XSS or similar vulnerabilities\n* Vulnerabilities found on *.ra.roblox.com that do not affect release servers\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-11-07T20:16:18.183Z"},{"id":3679617,"new_policy":"## Policy\n#### Our Mission\nRoblox is ushering in the next generation of entertainment, allowing kids of all ages to imagine, create, and play together in an immersive, user-generated 3D world. We call it the “Imagination Platform” and invite everyone to play on it.\nWe recognize the important role that our user community and a community of security researchers play in helping to keep Roblox and our community safe. If you think you’ve found a security issue on any of the scopes we have listed, please inform us via our program on HackerOne using the guidelines below. \nRoblox reserves the right to choose to address or not address any reported vulnerabilities.\n \n#### Program Rules\nTo participate in Roblox’s **security bug bounty program**, we request that you abide by the following rules. These are fairly standard requirements for most programs, but if you have any questions or feedback on these rules, please let us know at support@hackerone.com. (please do not submit bugs to this alias).\nRoblox reserves the right to modify the terms of this policy at any time.\n \n##### Handling Data\n* Your participation in the Roblox bug bounty program generally prohibits you from collecting, accessing, viewing, storing, altering or otherwise using data of Roblox users.\n* While testing, take measures to avoid accessing user data or affecting other users’ experiences. Please localize testing to your own test accounts wherever possible. If private user data is accessed during your security testing, please notify us immediately.\n* If you have found an issue that may require touching other users’ data to verify, please contact us first for guidance on how to safely test for such issues.\n*  In exceptional cases in which data of Roblox users is accessed and used for the security testing please restrict the data use to the extent that is crucially necessary to conduct proper security testing. This particularly means that you only use user data of very few Roblox users and that you limit the amount of the specific user data to the scope that is necessary for the specific testing measure.\n* In case of accessing user data for testing purposes, please ensure to take measures to prevent unauthorized access, alteration or deletion of the user data. You may not use the user data for any purposes other than participating in the Roblox bug bounty program and conducting the security testing.\n* You may not use the user data accessed during the security testing to contact Roblox users for any reason; including informing them about the security testing.\n* After completing the testing, you must delete any user data from your systems irrevocably. We reserve the right to demand proof of proper deletion.\n* You must refrain from sharing user data with others or publish user data.\n* A violation of these data protection obligations may lead to exclusion from the bug bounty program. In the event of infringement, Roblox reserves the right to reclaim already awarded bounties. Infringing data protection laws, including the European General Data Protection Regulation (GDPR), can result in substantial fines and/or users may be entitled to damages.\n \n##### Testing\n* If you are aware that your attacks may harm the reliability or integrity of our services or data, stop immediately and contact us\n* Vulnerabilities found through DDoS/spam attacks are not allowed\n* Never attempt non-technical attacks such as social engineering (e.g. phishing, vishing, smishing) or physical attacks against our employees, users, or infrastructure\n* Recently disclosed 0-day vulnerabilities are not eligible, unless you have a working poc exploit.\n* Follow HackerOne’s disclosure guidelines\n* When testing, please include the string \"hackeronetest-\u003cyour-roblox-userid\u003e\" at the end of your user agent so we can more easily identify traffic that is coming from the bug bounty program.\n* For any report involving the Roblox Client or Roblox Studio, include the version\n* In Studio, click File \u003e About Roblox Studio\n* For client, the version is shown in the properties of the exe file, normally located at %APPDATA%..\\Local\\Roblox\\Versions\u003cversion\u003e\\RobloxPlayerBeta.exe. There are typically two folders, one for client, one for studio.\n* Report the approximate date/time/timezone of the most recent test of the issue\n* Please do NOT contact our customer support team or employees out of band to contest or escalate a report; all inquiries should happen on the report itself. Failure to follow this rule may result in a bounty not being paid out and repeat offenses can lead to removal from the bug bounty program\n \n#### Response Targets\nRoblox will endeavor to meet the following SLAs for hackers participating in our program:\n* Time to first response (from report submit): 2 business days\n* Time to triage (from report submit): 2-10 business days\n* Time to bounty (from triage): 10-20 business days\n* We’ll try to keep you informed about our progress throughout the process\n \n#### Disclosure Policy\nWhile we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited and will result in disqualification from the Bug Bounty Program and, if necessary, referral of your conduct to law enforcement:\n* Disclosing any vulnerabilities or suspected vulnerabilities you discover to any other person without explicit Roblox authorization\n* Disclosing the contents of any submission to our program without explicit Roblox authorization\n* Accessing private information of any person stored on a Roblox product or service – You must use test accounts\n* Sharing or publishing Roblox user data\n* Accessing sensitive information (e.g. credentials)\n* Performing actions that may negatively affect Roblox or its users (e.g. Spam, Brute force, Denial of Service)\n* Conducting any kind of physical attack on Roblox personnel, property or data centers\n* Social engineering any Roblox help desk, employee or contractor\n* Exfiltrating data. Please test only the minimum necessary to validate a vulnerability (we can verify if data exfiltration would be possible from a vulnerability, and will reward with the impact in mind)\n* Violating any laws or regulations or breaching any agreements in order to discover vulnerabilities\n \n#### Out-of-scope Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) how easily/realistically exploitable the bug is (what’s the attack scenario?) and (2) what is the security impact of the bug? If a bug is not easily exploitable or does not have a significant security impact, it is less likely to qualify for a bounty or may have a lower pay out.  For example, low impact vulnerabilities on our word press sites such as blog.roblox.com or similiar sites that are in scope, may be downrated in severity if the impact is lacking.\nThe following vulnerabilities typically will not qualify for Roblox’s program:\n* Vulnerabilities previously disclosed through the program or otherwise known to Roblox or to the public\n* User account hacks that require user interaction\n* Chat filter bugs\n* Missing autocomplete attributes\n* Missing flags on cookies that don’t house any sensitive information\n* SSL/TLS scan reports (this means output from sites such as SSL Labs) and SSL/TLS version related vulnerabilities\n* Missing security-related HTTP headers which do not lead directly to a vulnerability. Issues that only affect a smaller user base (e.g. users on outdated browsers or other outdated software).\n* Vulnerabilities that are used for volumetric DDoS/DoS/Spam attacks are out of scope. But the vulnerabilities in the Roblox data model, which can be used by exploiters specifically for crashing the game servers, is strongly encouraged to be reported.   \n* Cross-site Request Forgery (CSRF) with minimal security implications (Login/logout/unauthenticated)\n* Version information disclosure (without verifying the presence of an actual exploitable vulnerability)\n* Password complexity related vulnerabilities\n* Unverified or incomplete \"Scanner output\" or scanner-generated reports\n* Vulnerabilities requiring physical access to the victim's unlocked device\n* Bugs requiring exceedingly unlikely user interaction\n* Disclosure of information already in public domain or information previously disclosed by Roblox\n* Disclosure of public information and information that does not present significant risk\n* Vulnerabilities that Roblox determines to be an accepted risk will not be eligible for a paid bounty\n* Language used in emails and policy documents\n* SPF, DKIM or DMARC issues on sub-domains of roblox.com\n* HTML injection vulnerabilities with no direct risk\n* Social engineering or following a link will not be considered for bounty\n* Self XSS or similar vulnerabilities\n* Vulnerabilities found on *.ra.roblox.com that do not affect release servers\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-11-07T20:15:34.566Z"},{"id":3649424,"new_policy":"## Policy\n#### Our Mission\nRoblox is ushering in the next generation of entertainment, allowing kids of all ages to imagine, create, and play together in an immersive, user-generated 3D world. We call it the “Imagination Platform” and invite everyone to play on it.\nWe recognize the important role that our user community and a community of security researchers play in helping to keep Roblox and our community safe. If you think you’ve found a security issue on any of the scopes we have listed, please inform us via our program on HackerOne using the guidelines below. \nRoblox reserves the right to choose to address or not address any reported vulnerabilities.\n \n#### Program Rules\nTo participate in Roblox’s **security bug bounty program**, we request that you abide by the following rules. These are fairly standard requirements for most programs, but if you have any questions or feedback on these rules, please let us know at support@hackerone.com. (please do not submit bugs to this alias).\nRoblox reserves the right to modify the terms of this policy at any time.\n \n##### Handling Data\n* Your participation in the Roblox bug bounty program generally prohibits you from collecting, accessing, viewing, storing, altering or otherwise using data of Roblox users.\n* While testing, take measures to avoid accessing user data or affecting other users’ experiences. Please localize testing to your own test accounts wherever possible. If private user data is accessed during your security testing, please notify us immediately.\n* If you have found an issue that may require touching other users’ data to verify, please contact us first for guidance on how to safely test for such issues.\n*  In exceptional cases in which data of Roblox users is accessed and used for the security testing please restrict the data use to the extent that is crucially necessary to conduct proper security testing. This particularly means that you only use user data of very few Roblox users and that you limit the amount of the specific user data to the scope that is necessary for the specific testing measure.\n* In case of accessing user data for testing purposes, please ensure to take measures to prevent unauthorized access, alteration or deletion of the user data. You may not use the user data for any purposes other than participating in the Roblox bug bounty program and conducting the security testing.\n* You may not use the user data accessed during the security testing to contact Roblox users for any reason; including informing them about the security testing.\n* After completing the testing, you must delete any user data from your systems irrevocably. We reserve the right to demand proof of proper deletion.\n* You must refrain from sharing user data with others or publish user data.\n* A violation of these data protection obligations may lead to exclusion from the bug bounty program. In the event of infringement, Roblox reserves the right to reclaim already awarded bounties. Infringing data protection laws, including the European General Data Protection Regulation (GDPR), can result in substantial fines and/or users may be entitled to damages.\n \n##### Testing\n* If you are aware that your attacks may harm the reliability or integrity of our services or data, stop immediately and contact us\n* Vulnerabilities found through DDoS/spam attacks are not allowed\n* Never attempt non-technical attacks such as social engineering (e.g. phishing, vishing, smishing) or physical attacks against our employees, users, or infrastructure\n* Recently disclosed 0-day vulnerabilities are not eligible, unless you have a working poc exploit.\n* Follow HackerOne’s disclosure guidelines\n* When testing, please include the string \"hackeronetest-\u003cyour-roblox-userid\u003e\" at the end of your user agent so we can more easily identify traffic that is coming from the bug bounty program.\n* For any report involving the Roblox Client or Roblox Studio, include the version\n* In Studio, click File \u003e About Roblox Studio\n* For client, the version is shown in the properties of the exe file, normally located at %APPDATA%..\\Local\\Roblox\\Versions\u003cversion\u003e\\RobloxPlayerBeta.exe. There are typically two folders, one for client, one for studio.\n* Report the approximate date/time/timezone of the most recent test of the issue\n* Please do NOT contact our customer support team or employees out of band to contest or escalate a report; all inquiries should happen on the report itself. Failure to follow this rule may result in a bounty not being paid out and repeat offenses can lead to removal from the bug bounty program\n \n#### Response Targets\nRoblox will endeavor to meet the following SLAs for hackers participating in our program:\n* Time to first response (from report submit): 2 business days\n* Time to triage (from report submit): 2-10 business days\n* Time to bounty (from triage): 10-20 business days\n* We’ll try to keep you informed about our progress throughout the process\n \n#### Disclosure Policy\nWhile we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited and will result in disqualification from the Bug Bounty Program and, if necessary, referral of your conduct to law enforcement:\n* Disclosing any vulnerabilities or suspected vulnerabilities you discover to any other person without explicit Roblox authorization\n* Disclosing the contents of any submission to our program without explicit Roblox authorization\n* Accessing private information of any person stored on a Roblox product or service – You must use test accounts\n* Sharing or publishing Roblox user data\n* Accessing sensitive information (e.g. credentials)\n* Performing actions that may negatively affect Roblox or its users (e.g. Spam, Brute force, Denial of Service)\n* Conducting any kind of physical attack on Roblox personnel, property or data centers\n* Social engineering any Roblox help desk, employee or contractor\n* Exfiltrating data. Please test only the minimum necessary to validate a vulnerability (we can verify if data exfiltration would be possible from a vulnerability, and will reward with the impact in mind)\n* Violating any laws or regulations or breaching any agreements in order to discover vulnerabilities\n \n#### Out-of-scope Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) how easily/realistically exploitable the bug is (what’s the attack scenario?) and (2) what is the security impact of the bug? If a bug is not easily exploitable or does not have a significant security impact, it is less likely to qualify for a bounty.  \nThe following vulnerabilities typically will not qualify for Roblox’s program:\n* Vulnerabilities previously disclosed through the program or otherwise known to Roblox or to the public\n* User account hacks that require user interaction\n* Chat filter bugs\n* Missing autocomplete attributes\n* Missing flags on cookies that don’t house any sensitive information\n* SSL/TLS scan reports (this means output from sites such as SSL Labs) and SSL/TLS version related vulnerabilities\n* Missing security-related HTTP headers which do not lead directly to a vulnerability. Issues that only affect a smaller user base (e.g. users on outdated browsers or other outdated software).\n* Vulnerabilities that are used for volumetric DDoS/DoS/Spam attacks are out of scope. But the vulnerabilities in the Roblox data model, which can be used by exploiters specifically for crashing the game servers, is strongly encouraged to be reported.   \n* Cross-site Request Forgery (CSRF) with minimal security implications (Login/logout/unauthenticated)\n* Version information disclosure (without verifying the presence of an actual exploitable vulnerability)\n* Password complexity related vulnerabilities\n* Unverified or incomplete \"Scanner output\" or scanner-generated reports\n* Vulnerabilities requiring physical access to the victim's unlocked device\n* Bugs requiring exceedingly unlikely user interaction\n* Disclosure of information already in public domain or information previously disclosed by Roblox\n* Disclosure of public information and information that does not present significant risk\n* Vulnerabilities that Roblox determines to be an accepted risk will not be eligible for a paid bounty\n* Language used in emails and policy documents\n* SPF, DKIM or DMARC issues on sub-domains of roblox.com\n* HTML injection vulnerabilities with no direct risk\n* Social engineering or following a link will not be considered for bounty\n* Self XSS or similar vulnerabilities\n* Vulnerabilities found on *.ra.roblox.com that do not affect release servers\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-03T17:40:15.056Z"},{"id":3633959,"new_policy":"## Policy\n#### Our Mission\nRoblox is ushering in the next generation of entertainment, allowing kids of all ages to imagine, create, and play together in an immersive, user-generated 3D world. We call it the “Imagination Platform” and invite everyone to play on it.\nWe recognize the important role that our user community and a community of security researchers play in helping to keep Roblox and our community safe. If you think you’ve found a security issue on any of the scopes we have listed, please inform us via our program on HackerOne using the guidelines below. \nRoblox reserves the right to choose to address or not address any reported vulnerabilities.\n \n#### Program Rules\nTo participate in Roblox’s **security bug bounty program**, we request that you abide by the following rules. These are fairly standard requirements for most programs, but if you have any questions or feedback on these rules, please let us know at support@hackerone.com. (please do not submit bugs to this alias).\nRoblox reserves the right to modify the terms of this policy at any time.\n \n##### Handling Data\n* Your participation in the Roblox bug bounty program generally prohibits you from collecting, accessing, viewing, storing, altering or otherwise using data of Roblox users.\n* While testing, take measures to avoid accessing user data or affecting other users’ experiences. Please localize testing to your own test accounts wherever possible. If private user data is accessed during your security testing, please notify us immediately.\n* If you have found an issue that may require touching other users’ data to verify, please contact us first for guidance on how to safely test for such issues.\n*  In exceptional cases in which data of Roblox users is accessed and used for the security testing please restrict the data use to the extent that is crucially necessary to conduct proper security testing. This particularly means that you only use user data of very few Roblox users and that you limit the amount of the specific user data to the scope that is necessary for the specific testing measure.\n* In case of accessing user data for testing purposes, please ensure to take measures to prevent unauthorized access, alteration or deletion of the user data. You may not use the user data for any purposes other than participating in the Roblox bug bounty program and conducting the security testing.\n* You may not use the user data accessed during the security testing to contact Roblox users for any reason; including informing them about the security testing.\n* After completing the testing, you must delete any user data from your systems irrevocably. We reserve the right to demand proof of proper deletion.\n* You must refrain from sharing user data with others or publish user data.\n* A violation of these data protection obligations may lead to exclusion from the bug bounty program. In the event of infringement, Roblox reserves the right to reclaim already awarded bounties. Infringing data protection laws, including the European General Data Protection Regulation (GDPR), can result in substantial fines and/or users may be entitled to damages.\n \n##### Testing\n* If you are aware that your attacks may harm the reliability or integrity of our services or data, stop immediately and contact us\n* Vulnerabilities found through DDoS/spam attacks are not allowed\n* Never attempt non-technical attacks such as social engineering (e.g. phishing, vishing, smishing) or physical attacks against our employees, users, or infrastructure\n* Recently disclosed 0day vulnerabilities are not eligible, unless you have a working poc exploit.\n* Follow HackerOne’s disclosure guidelines\n* When testing, please include the string \"hackeronetest-\u003cyour-roblox-id\u003e\" at the end of your user agent so we can more easily identify traffic that is coming from the bug bounty program.\n* For any report involving the Roblox Client or Roblox Studio, include the version\n* In Studio, click File \u003e About Roblox Studio\n* For client, the version is shown in the properties of the exe file, normally located at %APPDATA%..\\Local\\Roblox\\Versions\u003cversion\u003e\\RobloxPlayerBeta.exe. There are typically two folders, one for client, one for studio.\n* Report the approximate date/time/timezone of the most recent test of the issue\n* Please do NOT contact our customer support team or employees out of band to contest or escalate a report; all inquiries should happen on the report itself. Failure to follow this rule may result in a bounty not being paid out and repeat offenses can lead to removal from the bug bounty program\n \n#### Response Targets\nRoblox will make a best effort to meet the following SLAs for hackers participating in our program:\n* Time to first response (from report submit): 2 business days\n* Time to triage (from report submit): 2-10 business days\n* Time to bounty (from triage): 10-20 business days\n* We’ll try to keep you informed about our progress throughout the process\n \n#### Disclosure Policy\nWhile we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited and will result in disqualification from the Bug Bounty Program and, if necessary, referral of your conduct to law enforcement::\n* Disclosing any vulnerabilities or suspected vulnerabilities you discover to any other person without explicit Roblox authorization\n* Disclosing the contents of any submission to our program without explicit Roblox authorization\n* Accessing private information of any person stored on a Roblox product or service – You must use test accounts\n* Sharing or publishing Roblox user data\n* Accessing sensitive information (eg. credentials)\n* Performing actions that may negatively affect Roblox or its users (e.g. Spam, Brute force, Denial of Service)\n* Conducting any kind of physical attack on Roblox personnel, property or data centers\n* Social engineering any Roblox help desk, employee or contractor\n* Exfiltrating data. Please test only the minimum necessary to validate a vulnerability (we can verify if data exfiltration would be possible from a vulnerability, and will reward with the impact in mind)\n* Violating any laws or breaching any agreements in order to discover vulnerabilities\n \n#### Out-of-scope Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) how easily/realistically exploitable the bug is (what’s the attack scenario?) and (2) what is the security impact of the bug? If a bug is not easily exploitable or does not have a significant security impact, it is less likely to qualify for a bounty.  \nThe following vulnerabilities typically will not qualify for Roblox’s program:\n* Vulnerabilities previously disclosed through the program or otherwise known to Roblox or to the public\n* User account hacks that require user interaction\n* Chat filter bugs\n* Missing autocomplete attributes\n* Missing flags on cookies that don’t house any sensitive information\n* SSL/TLS scan reports (this means output from sites such as SSL Labs) and SSL/TLS version related vulnerabilities\n* Missing security-related HTTP headers which do not lead directly to a vulnerability. Issues that only affect a smaller user base (e.g. users on outdated browsers or other outdated software).\n* Denial of Service vulnerabilities (DoS)\n* Cross-site Request Forgery (CSRF) with minimal security implications (Login/logout/unauthenticated)\n* Version information disclosure (without verifying the presence of an actual exploitable vulnerability)\n* Password complexity related vulnerabilities\n* Unverified or incomplete \"Scanner output\" or scanner-generated reports\n* Vulnerabilities requiring physical access to the victim's unlocked device\n* Bugs requiring exceedingly unlikely user interaction\n* Disclosure of information already in public domain or information previously disclosed by Roblox\n* Disclosure of public information and information that does not present significant risk\n* Vulnerabilities that Roblox determines to be an accepted risk will not be eligible for a paid bounty\n* Language used in emails and policy documents\n* SPF, DKIM or DMARC issues on sub-domains of roblox.com\n* HTML injection vulnerabilities with no direct risk\n* Social engineering or following a link will not be considered for bounty\n* Self XSS or similar vulnerabilities\n* Vulnerabilities found on *.ra.roblox.com that do not affect release servers\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-25T23:04:56.841Z"},{"id":3629792,"new_policy":"## Policy\n#### Our Mission\nRoblox is ushering in the next generation of entertainment, allowing kids of all ages to imagine, create, and play together in an immersive, user-generated 3D world. We call it the “Imagination Platform” and invite everyone to play on it.\nWe recognize the important role that our user community and a community of security researchers play in helping to keep Roblox and our community safe. If you think you’ve found a security issue on any of the scopes we have listed, please inform us via our program on HackerOne using the guidelines below.\n \n#### Program Rules\nTo participate in Roblox’s **security bug bounty program**, we request that you abide by the following rules. These are fairly standard requirements for most programs, but if you have any questions or feedback on these rules, please let us know at support@hackerone.com. (please do not submit bugs to this alias).\n \n##### Handling Data\n* Your participation in the Roblox bug bounty program generally prohibits you from collecting, accessing, viewing, storing, altering or otherwise using data of Roblox users.\n* While testing, take measures to avoid accessing user data or affecting other users’ experiences. Please localize testing to your own test accounts wherever possible. If private user data is accessed during your security testing, please notify us immediately.\n* If you have found an issue that may require touching other users’ data to verify, please contact us first for guidance on how to safely test for such issues.\n*  In exceptional cases in which data of Roblox users is accessed and used for the security testing please restrict the data use to the extent that is crucially necessary to conduct proper security testing. This particularly means that you only use user data of very few Roblox users and that you limit the amount of the specific user data to the scope that is necessary for the specific testing measure.\n* In case of accessing user data for testing purposes, please ensure to take measures to prevent unauthorized access, alteration or deletion of the user data. You may not use the user data for any purposes other than participating in the Roblox bug bounty program and conducting the security testing.\n* You may not use the user data accessed during the security testing to contact Roblox users for any reason; including informing them about the security testing.\n* After completing the testing, you must delete any user data from your systems irrevocably. We reserve the right to demand proof of proper deletion.\n* You must refrain from sharing user data with others or publish user data.\n* A violation of these data protection obligations may lead to exclusion from the bug bounty program. In the event of infringement, Roblox reserves the right to reclaim already awarded bounties. Infringing data protection laws, including the European General Data Protection Regulation (GDPR), can result in substantial fines and/or users may be entitled to damages.\n \n##### Testing\n* If you are aware that your attacks may harm the reliability or integrity of our services or data, stop immediately and contact us\n* Vulnerabilities found through DDoS/spam attacks are not allowed\n* Never attempt non-technical attacks such as social engineering (e.g. phishing, vishing, smishing) or physical attacks against our employees, users, or infrastructure\n* Recently disclosed 0day vulnerabilities are not eligible, unless you have a working poc exploit.\n* Follow HackerOne’s disclosure guidelines\n* When testing, please include the string \"hackeronetest-\u003cyour-roblox-id\u003e\" at the end of your user agent so we can more easily identify traffic that is coming from the bug bounty program.\n* For any report involving the Roblox Client or Roblox Studio, include the version\n* In Studio, click File \u003e About Roblox Studio\n* For client, the version is shown in the properties of the exe file, normally located at %APPDATA%..\\Local\\Roblox\\Versions\u003cversion\u003e\\RobloxPlayerBeta.exe. There are typically two folders, one for client, one for studio.\n* Report the approximate date/time/timezone of the most recent test of the issue\n* Please do NOT contact our customer support team or employees out of band to contest or escalate a report; all inquiries should happen on the report itself. Failure to follow this rule may result in a bounty not being paid out and repeat offenses can lead to removal from the bug bounty program\n \n#### Response Targets\nRoblox will make a best effort to meet the following SLAs for hackers participating in our program:\n* Time to first response (from report submit): 2 business days\n* Time to triage (from report submit): 2-10 business days\n* Time to bounty (from triage): 10-20 business days\n* We’ll try to keep you informed about our progress throughout the process\n \n#### Disclosure Policy\nWhile we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited and will result in disqualification from the Bug Bounty Program:\n* Disclosing any vulnerabilities or suspected vulnerabilities you discover to any other person without explicit Roblox authorization\n* Disclosing the contents of any submission to our program without explicit Roblox authorization\n* Accessing private information of any person stored on a Roblox product or service – You must use test accounts\n* Sharing or publishing Roblox user data\n* Accessing sensitive information (eg. credentials)\n* Performing actions that may negatively affect Roblox or its users (e.g. Spam, Brute force, Denial of Service)\n* Conducting any kind of physical attack on Roblox personnel, property or data centers\n* Social engineering any Roblox help desk, employee or contractor\n* Exfiltrating data. Please test only the minimum necessary to validate a vulnerability (we can verify if data exfiltration would be possible from a vulnerability, and will reward with the impact in mind)\n* Violating any laws or breaching any agreements in order to discover vulnerabilities\n \n#### Out-of-scope Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) how easily/realistically exploitable the bug is (what’s the attack scenario?) and (2) what is the security impact of the bug? If a bug is not easily exploitable or does not have a significant security impact, it is less likely to qualify for a bounty.  \nThe following vulnerabilities typically will not qualify for Roblox’s program:\n* User account hacks that require user interaction\n* Chat filter bugs\n* Missing autocomplete attributes\n* Missing flags on cookies that don’t house any sensitive information\n* SSL/TLS scan reports (this means output from sites such as SSL Labs) and SSL/TLS version related vulnerabilities\n* Missing security-related HTTP headers which do not lead directly to a vulnerability. Issues that only affect a smaller user base (e.g. users on outdated browsers or other outdated software).\n* Denial of Service vulnerabilities (DoS)\n* Cross-site Request Forgery (CSRF) with minimal security implications (Login/logout/unauthenticated)\n* Version information disclosure (without verifying the presence of an actual exploitable vulnerability)\n* Password complexity related vulnerabilities\n* Unverified or incomplete \"Scanner output\" or scanner-generated reports\n* Vulnerabilities requiring physical access to the victim's unlocked device\n* Bugs requiring exceedingly unlikely user interaction\n* Disclosure of public information and information that does not present significant risk\n* Vulnerabilities that Roblox determines to be an accepted risk will not be eligible for a paid bounty\n* Language used in emails and policy documents\n* SPF, DKIM or DMARC issues on sub-domains of roblox.com\n* HTML injection vulnerabilities with no direct risk\n* Social engineering or following a link will not be considered for bounty\n* Self XSS or similar vulnerabilities\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-02-04T17:39:38.362Z"},{"id":3629297,"new_policy":"## Policy\n#### Our Mission\nRoblox is ushering in the next generation of entertainment, allowing kids of all ages to imagine, create, and play together in an immersive, user-generated 3D world. We call it the “Imagination Platform” and invite everyone to play on it.\nWe recognize the important role that our user community and a community of security researchers play in helping to keep Roblox and our community safe. If you think you’ve found a security issue on any of the scopes we have listed, please inform us via our program on HackerOne using the guidelines below.\n\n#### Program Rules\nTo participate in Roblox’s **security bug bounty program**, we request that you abide by the following rules. These are fairly standard requirements for most programs, but if you have any questions or feedback on these rules, please let us know at support@hackerone.com. (please do not submit bugs to this alias).\n* While testing, take measures to avoid accessing user data or affecting other users’ experiences. Please localize testing to your own test accounts wherever possible. If private user data is accessed during your security testing, please notify us immediately. If you have found an issue that may require touching other users’ data to verify, please contact us first for advice on how to safely test for such issues\n* If you are aware that your attacks may harm the reliability or integrity of our services or data, stop immediately and contact us\n* Vulnerabilities found through DDoS/spam attacks are not allowed\n* Never attempt non-technical attacks such as social engineering (e.g. phishing, vishing, smishing) or physical attacks against our employees, users, or infrastructure\n* Recently disclosed 0day vulnerabilities are not eligible, unless you have a working poc exploit.\n* Follow HackerOne’s disclosure guidelines\n* When testing, please include the string \"hackeronetest-\u003cyour-roblox-id\u003e\" at the end of your user agent so we can more easily identify traffic that is coming from the bug bounty program.\n* For any report involving the Roblox Client or Roblox Studio, include the version\n* In Studio, click File \u003e About Roblox Studio\n* For client, the version is shown in the properties of the exe file, normally located at %APPDATA%..\\Local\\Roblox\\Versions\u003cversion\u003e\\RobloxPlayerBeta.exe. There are typically two folders, one for client, one for studio.\n* Report the approximate date/time/timezone of the most recent test of the issue\n* Please do NOT contact our customer support team or employees out of band to contest or escalate a report; all inquiries should happen on the report itself. Failure to follow this rule may result in a bounty not being paid out and repeat offenses can lead to removal from the bug bounty program\n\n#### Response Targets\nRoblox will make a best effort to meet the following SLAs for hackers participating in our program:\n* Time to first response (from report submit): 2 business days\n* Time to triage (from report submit): 2-10 business days\n* Time to bounty (from triage): 10-20 business days\n* We’ll try to keep you informed about our progress throughout the process\n\n#### Disclosure Policy\nWhile we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited and will result in disqualification from the Bug Bounty Program:\n* Disclosing any vulnerabilities or suspected vulnerabilities you discover to any other person without explicit Roblox authorization\n* Disclosing the contents of any submission to our program without explicit Roblox authorization\n* Accessing private information of any person stored on a Roblox product or service – You must use test accounts\n* Accessing sensitive information (eg. credentials)\n* Performing actions that may negatively affect Roblox or its users (e.g. Spam, Brute force, Denial of Service)\n* Conducting any kind of physical attack on Roblox personnel, property or data centers\n* Social engineering any Roblox help desk, employee or contractor\n* Exfiltrating data. Please test only the minimum necessary to validate a vulnerability (we can verify if data exfiltration would be possible from a vulnerability, and will reward with the impact in mind)\n* Violating any laws or breaching any agreements in order to discover vulnerabilities\n\n#### Out-of-scope Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) how easily/realistically exploitable the bug is (what’s the attack scenario?) and (2) what is the security impact of the bug? If a bug is not easily exploitable or does not have a significant security impact, it is less likely to qualify for a bounty.  \nThe following vulnerabilities typically will not qualify for Roblox’s program:\n* User account hacks that require user interaction\n* Chat filter bugs\n* Missing autocomplete attributes\n* Missing flags on cookies that don’t house any sensitive information\n* SSL/TLS scan reports (this means output from sites such as SSL Labs) and SSL/TLS version related vulnerabilities\n* Missing security-related HTTP headers which do not lead directly to a vulnerability. Issues that only affect a smaller user base (e.g. users on outdated browsers or other outdated software).\n* Denial of Service vulnerabilities (DoS)\n* Cross-site Request Forgery (CSRF) with minimal security implications (Login/logout/unauthenticated)\n* Version information disclosure (without verifying the presence of an actual exploitable vulnerability)\n* Password complexity related vulnerabilities\n* Unverified or incomplete \"Scanner output\" or scanner-generated reports\n* Vulnerabilities requiring physical access to the victim's unlocked device\n* Bugs requiring exceedingly unlikely user interaction\n* Disclosure of public information and information that does not present significant risk\n* Vulnerabilities that Roblox determines to be an accepted risk will not be eligible for a paid bounty\n* Language used in emails and policy documents\n* SPF, DKIM or DMARC issues on sub-domains of roblox.com\n* HTML injection vulnerabilities with no direct risk\n* Social engineering or following a link will not be considered for bounty\n* Self XSS or similar vulnerabilities\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-01-27T19:12:12.929Z"},{"id":3629296,"new_policy":"## Policy\n#### Our Mission\nRoblox is ushering in the next generation of entertainment, allowing kids of all ages to imagine, create, and play together in an immersive, user-generated 3D world. We call it the “Imagination Platform” and invite everyone to play on it.\nWe recognize the important role that our user community and a community of security researchers play in helping to keep Roblox and our community safe. If you think you’ve found a security issue on any of the scopes we have listed, please inform us via our program on HackerOne using the guidelines below.\n\n#### Program Rules\nTo participate in Roblox’s bug bounty program, we request that you abide by the following rules. These are fairly standard requirements for most programs, but if you have any questions or feedback on these rules, please let us know at support@hackerone.com. (please do not submit bugs to this alias).\n* While testing, take measures to avoid accessing user data or affecting other users’ experiences. Please localize testing to your own test accounts wherever possible. If private user data is accessed during your security testing, please notify us immediately. If you have found an issue that may require touching other users’ data to verify, please contact us first for advice on how to safely test for such issues\n* If you are aware that your attacks may harm the reliability or integrity of our services or data, stop immediately and contact us\n* Vulnerabilities found through DDoS/spam attacks are not allowed\n* Never attempt non-technical attacks such as social engineering (e.g. phishing, vishing, smishing) or physical attacks against our employees, users, or infrastructure\n* Recently disclosed 0day vulnerabilities are not eligible, unless you have a working poc exploit.\n* Follow HackerOne’s disclosure guidelines\n* When testing, please include the string \"hackeronetest-\u003cyour-roblox-id\u003e\" at the end of your user agent so we can more easily identify traffic that is coming from the bug bounty program.\n* For any report involving the Roblox Client or Roblox Studio, include the version\n* In Studio, click File \u003e About Roblox Studio\n* For client, the version is shown in the properties of the exe file, normally located at %APPDATA%..\\Local\\Roblox\\Versions\u003cversion\u003e\\RobloxPlayerBeta.exe. There are typically two folders, one for client, one for studio.\n* Report the approximate date/time/timezone of the most recent test of the issue\n* Please do NOT contact our customer support team or employees out of band to contest or escalate a report; all inquiries should happen on the report itself. Failure to follow this rule may result in a bounty not being paid out and repeat offenses can lead to removal from the bug bounty program\n\n#### Response Targets\nRoblox will make a best effort to meet the following SLAs for hackers participating in our program:\n* Time to first response (from report submit): 5 business days\n* Time to triage (from report submit): 10 business days\n* Time to bounty (from triage): 30 business days\n* We’ll try to keep you informed about our progress throughout the process\n\n#### Disclosure Policy\nWhile we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited and will result in disqualification from the Bug Bounty Program:\n* Disclosing any vulnerabilities or suspected vulnerabilities you discover to any other person without explicit Roblox authorization\n* Disclosing the contents of any submission to our program without explicit Roblox authorization\n* Accessing private information of any person stored on a Roblox product or service – You must use test accounts\n* Accessing sensitive information (eg. credentials)\n* Performing actions that may negatively affect Roblox or its users (e.g. Spam, Brute force, Denial of Service)\n* Conducting any kind of physical attack on Roblox personnel, property or data centers\n* Social engineering any Roblox help desk, employee or contractor\n* Exfiltrating data. Please test only the minimum necessary to validate a vulnerability (we can verify if data exfiltration would be possible from a vulnerability, and will reward with the impact in mind)\n* Violating any laws or breaching any agreements in order to discover vulnerabilities\n\n#### Out-of-scope Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) how easily/realistically exploitable the bug is (what’s the attack scenario?) and (2) what is the security impact of the bug? If a bug is not easily exploitable or does not have a significant security impact, it is less likely to qualify for a bounty.  \nThe following vulnerabilities typically will not qualify for Roblox’s program:\n* User account hacks that require user interaction\n* Chat filter bugs\n* Missing autocomplete attributes\n* Missing flags on cookies that don’t house any sensitive information\n* SSL/TLS scan reports (this means output from sites such as SSL Labs) and SSL/TLS version related vulnerabilities\n* Missing security-related HTTP headers which do not lead directly to a vulnerability. Issues that only affect a smaller user base (e.g. users on outdated browsers or other outdated software).\n* Denial of Service vulnerabilities (DoS)\n* Cross-site Request Forgery (CSRF) with minimal security implications (Login/logout/unauthenticated)\n* Version information disclosure (without verifying the presence of an actual exploitable vulnerability)\n* Password complexity related vulnerabilities\n* Unverified or incomplete \"Scanner output\" or scanner-generated reports\n* Vulnerabilities requiring physical access to the victim's unlocked device\n* Bugs requiring exceedingly unlikely user interaction\n* Disclosure of public information and information that does not present significant risk\n* Vulnerabilities that Roblox determines to be an accepted risk will not be eligible for a paid bounty\n* Language used in emails and policy documents\n* SPF, DKIM or DMARC issues on sub-domains of roblox.com\n* HTML injection vulnerabilities with no direct risk\n* Social engineering or following a link will not be considered for bounty\n* Self XSS or similar vulnerabilities\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-01-27T18:56:18.510Z"}]