• $200 – $7,000 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

64 vulnerabilities rewarded

Validation within 8 days
75% of submissions are accepted or rejected within 8 days

$1,200 average payout (last 3 months)

Latest hall of famers

Recently joined this program

694 total

NOTE! [Please Read Fully Before Beginning Or Engaging In Any Testing]

  1. Please DO NOT use automated vulnerability scanners when testing against the in-scope targets (Zap/Burp/Acunetix/Nikto/Nessus/etc) - all of these tools have already been run, and are run on a recurring basis internally. Running any tools of this nature is largely an inefficient use of your time and resources.
  2. However, you ARE encouraged to run any custom scripts or fuzzers that you have developed (e.g. niche file or directly wordlists, etc); however, please keep your requests using these tools to UNDER 50 requests per SECOND.
  3. In short, we strongly encourage researchers to perform manual testing by hand - this is where you're much more likely to achieve success, and a much better use of your time and resources, as opposed to running common tools that have already been used extensively against the in-scope targets, etc.
  4. Please be aware that Submissions found using pirated software will not be rewarded.
  5. Good luck, and happy hunting!

Additionally, please be aware that this program does not accept out of scope submissions. Testing targets that are out of scope is strictly prohibited.

iRobot, the leading global consumer robot company, designs and builds robots that empower people to do more both inside and outside of the home. This program is testing iRobot's web applications, mobile applications, cloud APIs, and cloud-connected robots for vulnerabilities.

iRobot Home v5 Released!

The iRobot Home v5+ is releasing across the Apple App Store and Google Play Store. Please note that reports from earlier versions of the Mobile App will not be accepted. Here is What's New:

  • New and improved home screen and app design
  • Ability to create and save cleaning routines with Favorites
  • Ability to schedule Imprint® Link jobs
  • Schedule your robot to clean when you leave the house
  • Create Clean Zones to direct cleaning to objects and areas, including voice assistant support
  • Improved Smart Map education
  • Personalized cleaning recommendations


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.


Financial rewards differ based on the tier of product the vulnerability was found in (see below for details).

Targets Eligible for Tier 1 Rewards

  • Any cloud-connected iRobot robot

Targets Eligible for Tier 2 Rewards

  • iRobot Home v5+- iOS
  • iRobot Home v5+ - Android

Targets Eligible for Tier 3 Rewards

  • Any cloud API
Category Tier 1 (Robot) Tier 2 (Mobile) Tier 3 (Web/API)
P1 $4,200-$7,500 $4,200-$5,000 $1,200 - $1,500
P2 $2,400-$3,000 $2,400-$3,000 $750 - $1,000
P3 $1,000-$1,500 $1,000-$1,500 $300 - $500
P4 $200 $200 $100


In scope

Target name Type Tags API Testing
  • API Testing
  • Python iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
iRobot cloud-connected robot that you own (i.e. i7, 980, 960, 690, Braava, etc.) Hardware Testing
  • Hardware Testing{entitlement_id} API Testing
  • API Testing
  • Python Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin API Testing
  • API Testing
  • Python{robot_id}/entitlements API Testing
  • API Testing
  • Python{user_id}/entitlements API Testing
  • API Testing
  • Python

Out of scope

Target name Type Website Testing Website Testing Website Testing Website Testing Website Testing Website Testing

Testing is only authorized on the targets listed as In-Scope. Any domain/property of iRobot not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
Absolutely no out of scope submissions will be accepted at this time. Do not test anything that is not listed as In-Scope.

Quick Start:

  • Do not access, destroy, alter, or otherwise negatively impact iRobot customers, or customer data, in any way.
  • Do not perform any activities that would cause a denial of service (DoS), or distributed denial of service (DDoS), against iRobot products or services.
  • Ensure that you have fully read and understand the targets, exclusions, and rules below.
  • Understand the scope.
  • Note that bounties are awarded differently per product
  • To test robots, you will need a robot identifier (provided below or you can use your own if you own an iRobot cloud-connected robot) and either the iOS or Android iRobot Home application.

Target/testing Info:

Web Credentials

Credentials are self-provisioned on the iRobot site using your email address. Additional user accounts can be created to perform horizontal (cross-account) testing using the same account creation process, using your email address. We would like researchers to focus on testing the user account and associated functionality.

Testing order and payment workflow at can be done with the following credit card information. Please do not input real information in orders for order testing purposes.

Shipping and Order Address: Must be valid address 
Name on Card: Any Name
CC#: 4111111111111111
CVV/CRV/CV2: 123
Expiration Date: Any date after current date

Robot IDs

Robot Identifiers are commonly found in API calls. If you do not have a robot to test with, you can use one of the following Robot IDs:

  • 6977840021925810
  • 3144460C10810750
  • 2A80AB73B5634DB9

API Endpoints

The In-Scope API Gateway Endpoints require proper authentication to execute any commands. The Focus Area for these targets are on reports that can bypass and circumvent the authentication implementation. Each endpoint accepts the following HTTP Methods:

Endpoint URL HTTP Methods GET,POST{entitlement_id} PUT, DELETE POST{robot_id}/entitlements GET{user_id}/entitlements GET


  • This bounty follows BugCrowd's Vulnerability Rating Taxonomy
  • This bounty follows BugCrowd's Standard Disclosure Terms
  • This bounty does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.
  • This program strictly prohibits any form of contact between Bugcrowd researchers and the iRobot support team. Please make all considerable efforts to avoid creating support tickets, messaging iRobot support, and/or attempting to elicit a response from iRobot's customer-focused business units. If you have questions or need to contact iRobot or Bugcrowd, please email You must ensure that customer data or devices are not impacted in any way as a result of your testing. Ensure that you are not being destructive while testing and that you are only testing targets that are in-scope.
  • Submissions must be submitted in plain text formats. Supporting videos and images are fine as long as they are in standard, cross-platform formats. Submissions in other formats (e.g. DOCX, PDF, etc.,) will be asked to for resubmission in a plain text format.
  • We are not interested in vulnerabilities that only affect robots under your possession and control unless it can be demonstrated that the same vulnerability would impact another customer's robot, mobile device, account, etc.,

Focus Areas


Due to the nature of our connected products, we are focused primarily on any vulnerabilities that could allow one user to affect any robots, mobile devices, or account information which do not belong to them. We are especially interested in any attacks that affect the entire robot fleet!

Other areas of interest:

  • Can you remotely install malware on another user's robot
  • Can you collect any user information without physical access to their robot or mobile device, including account information, persistent map information, user WiFi SSIDs, etc.
  • Can you control anyone else's robot remotely

As noted in the "out of scope" section below, we are interested if you can detail a vulnerability that would allow an actor to control or manipulate a robot not in their possession, but it is out of scope to actually control, deny service, or otherwise negatively impact a robot you do not own.

Web Applications

For our web applications we are interested in traditional web application vulnerabilities and other vulnerabilities that directly affect our customers or products. Some of these vulnerabilities include:

  • Cross-account data leakage or unauthorized access
  • Stored/Reflected/DOM-based Cross-Site Scripting (XSS)
  • SQL Injection (SQLi)
  • Server-side Remote Code Execution (RCE)
  • Server-side Request Forgery (SSRF)
  • Broken access controls (insecure direct object references, etc.)
  • Path/directory traversal

Out of Scope

  • Any access, destruction, alteration, public disclosure of, or otherwise negatively impacting attack against iRobot customers, customer data, or iRobot systems and/or data.
  • Any domain, property, product, protocol, or service of iRobot not explicitly listed in the In-Scope section is out of scope, including any and all iRobot domains and subdomains not listed above.
  • Any attack causing a denial of service (DoS), or distributed denial of service (DDoS) condition against iRobot products, services, or customers.
  • Any attacks against iRobot staff - including but not limited to social engineering, phishing, cold-calls, etc – are explicitly out-of-scope for this program.
  • Automated scanning tools are out of scope for this program.

Excluded Finding Types

The following finding types are specifically excluded from the bounty:

  • Fingerprinting or banner disclosure on public ports/services
  • Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain
  • Missing HTTP security headers, specifically:
    • HTTP Strict Transport Security (HSTS)
    • Public Key Pinning Extension for HTTP (HPKP)
    • X-Frame-Options
    • X-Frame-Options (Clickjacking)
    • X-XSS-Protection
    • X-Content-Type-Options
    • Content-Security-Policy
    • X-Permitted-Cross-Domain-Policies
    • Referrer-Policy
    • Expect-CT ** Feature-Policy
  • HTTP OPTIONS header
  • HTTP or DNS cache poisoning
  • Vulnerabilities in the WiFi spec
  • No load testing (DoS/DDoS) on the application(s) or network
  • Known vulnerabilities in used libraries, or reports of outdated libraries unless you can demonstrate exploitability

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.