NOTE! [Please Read Fully Before Beginning Or Engaging In Any Testing]
- Please DO NOT use automated vulnerability scanners when testing against the in-scope targets (Zap/Burp/Acunetix/Nikto/Nessus/etc) - all of these tools have already been run, and are run on a recurring basis internally. Running any tools of this nature is largely an inefficient use of your time and resources.
- However, you ARE encouraged to run any custom scripts or fuzzers that you have developed (e.g. niche file or directly wordlists, etc); however, please keep your requests using these tools to UNDER 50 requests per SECOND.
- In short, we strongly encourage researchers to perform manual testing by hand - this is where you're much more likely to achieve success, and a much better use of your time and resources, as opposed to running common tools that have already been used extensively against the in-scope targets, etc.
- Please be aware that Submissions found using pirated software will not be rewarded.
- Good luck, and happy hunting!
Additionally, please be aware that this program does not accept out of scope submissions. Testing targets that are out of scope is strictly prohibited.
iRobot, the leading global consumer robot company, designs and builds robots that empower people to do more both inside and outside of the home. This program is testing iRobot's web applications, mobile applications, cloud APIs, and cloud-connected robots for vulnerabilities.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Financial rewards differ based on the tier of product the vulnerability was found in (see below for details).
Targets Eligible for Tier 1 Rewards
- Any cloud-connected iRobot robot
Targets Eligible for Tier 2 Rewards
- iRobot Home - iOS
- iRobot Home - Android
Targets Eligible for Tier 3 Rewards
- Any cloud API
|Category||Tier 1 (Robot)||Tier 2 (Mobile)||Tier 3 (Web/API)|
|P1||$4,200-$7,500||$4,200-$5,000||$1,200 - $1,500|
|P2||$2,400-$3,000||$2,400-$3,000||$750 - $1,000|
|P3||$1,000-$1,500||$1,000-$1,500||$300 - $500|
Out of scope
Testing is only authorized on the targets listed as In-Scope. Any domain/property of iRobot not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
Absolutely no out of scope submissions will be accepted at this time. Do not test anything that is not listed as In-Scope.
- Do not access, destroy, alter, or otherwise negatively impact iRobot customers, or customer data, in any way.
- Do not perform any activities that would cause a denial of service (DoS), or distributed denial of service (DDoS), against iRobot products or services.
- Ensure that you have fully read and understand the targets, exclusions, and rules below.
- Understand the scope.
- Note that bounties are awarded differently per product
- To test robots, you will need a robot identifier (provided below or you can use your own if you own an iRobot cloud-connected robot) and either the iOS or Android iRobot Home application.
Credentials are self-provisioned on the iRobot site using your @bugcrowdninja.com email address. Additional user accounts can be created to perform horizontal (cross-account) testing using the same account creation process, using your @bugcrowdninja.com email address. We would like researchers to focus on testing the user account and associated functionality.
Testing order and payment workflow at store.irobot.com can be done with the following credit card information. Please do not input real information in orders for order testing purposes.
Shipping and Order Address: Must be valid address Name on Card: Any Name CC#: 4111111111111111 CVV/CRV/CV2: 123 Expiration Date: Any date after current date
Robot Identifiers are commonly found in API calls. If you do not have a robot to test with, you can use one of the following Robot IDs:
- This bounty follows BugCrowd's Vulnerability Rating Taxonomy
- This bounty follows BugCrowd's Standard Disclosure Terms
- This bounty does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.
- This program strictly prohibits any form of contact between Bugcrowd researchers and the iRobot support team. Please make all considerable efforts to avoid creating support tickets, messaging iRobot support, and/or attempting to elicit a response from iRobot's customer-focused business units. If you have questions or need to contact iRobot or Bugcrowd, please email firstname.lastname@example.org. You must ensure that customer data or devices are not impacted in any way as a result of your testing. Ensure that you are not being destructive while testing and that you are only testing targets that are in-scope.
- Submissions must be submitted in plain text formats. Supporting videos and images are fine as long as they are in standard, cross-platform formats. Submissions in other formats (e.g. DOCX, PDF, etc.,) will be asked to for resubmission in a plain text format.
- We are not interested in vulnerabilities that only affect robots under your possession and control unless it can be demonstrated that the same vulnerability would impact another customer's robot, mobile device, account, etc.,
Due to the nature of our connected products, we are focused primarily on any vulnerabilities that could allow one user to affect any robots, mobile devices, or account information which do not belong to them. We are especially interested in any attacks that affect the entire robot fleet!
Other areas of interest:
- Can you remotely install malware on another user's robot
- Can you collect any user information without physical access to their robot or mobile device, including account information, persistent map information, user WiFi SSIDs, etc.
- Can you control anyone else's robot remotely
As noted in the "out of scope" section below, we are interested if you can detail a vulnerability that would allow an actor to control or manipulate a robot not in their possession, but it is out of scope to actually control, deny service, or otherwise negatively impact a robot you do not own.
For our web applications we are interested in traditional web application vulnerabilities and other vulnerabilities that directly affect our customers or products. Some of these vulnerabilities include:
- Cross-account data leakage or unauthorized access
- Stored/Reflected/DOM-based Cross-Site Scripting (XSS)
- SQL Injection (SQLi)
- Server-side Remote Code Execution (RCE)
- Server-side Request Forgery (SSRF)
- Broken access controls (insecure direct object references, etc.)
- Path/directory traversal
Out of Scope
- Any access, destruction, alteration, public disclosure of, or otherwise negatively impacting attack against iRobot customers, customer data, or iRobot systems and/or data.
- Any domain, property, product, protocol, or service of iRobot not explicitly listed in the In-Scope section is out of scope, including any and all iRobot domains and subdomains not listed above.
- Any attack causing a denial of service (DoS), or distributed denial of service (DDoS) condition against iRobot products, services, or customers.
- Any attacks against iRobot staff - including but not limited to social engineering, phishing, cold-calls, etc – are explicitly out-of-scope for this program.
- Automated scanning tools are out of scope for this program.
Excluded Finding Types
The following finding types are specifically excluded from the bounty:
- Fingerprinting or banner disclosure on public ports/services
- Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain
- Missing HTTP security headers, specifically:
- HTTP Strict Transport Security (HSTS)
- Public Key Pinning Extension for HTTP (HPKP)
- X-Frame-Options (Clickjacking)
- Expect-CT ** Feature-Policy
- HTTP OPTIONS header
- HTTP or DNS cache poisoning
- Vulnerabilities in the WiFi spec
- No load testing (DoS/DDoS) on the application(s) or network
- Known vulnerabilities in used libraries, or reports of outdated libraries unless you can demonstrate exploitability