iRobot API Endpoints Added to Scope - Announcements - iRobot

$200 – $7,000 per vulnerability
Safe harbor

We hope your testing is going well. Here is an update that should make things a bit more interesting!

There have been some new API Endpoints on the iRobot program. We highly recommend you take a look at this additional attack surface – which hopefully means more vulnerabilities! Here is what’s new:

The In-Scope API Gateway Endpoints require proper authentication to execute any commands. The Focus Area for these targets are on reports that can bypass and circumvent the authentication implementation. Each endpoint accepts the following HTTP Methods:

Endpoint URL	HTTP Methods
https://w2ab2i60y4.execute-api.us-east-1.amazonaws.com/dev/v1/ecommerce/entitlements	GET,POST
https://w2ab2i60y4.execute-api.us-east-1.amazonaws.com/dev/v1/ecommerce/entitlements/{entitlement_id}	PUT, DELETE
https://w2ab2i60y4.execute-api.us-east-1.amazonaws.com/dev/v1/ecommerce/notifications/raas	POST
https://w2ab2i60y4.execute-api.us-east-1.amazonaws.com/dev/v1/ecommerce/robots/{robot_id}/entitlements	GET
https://w2ab2i60y4.execute-api.us-east-1.amazonaws.com/dev/v1/ecommerce/users/{user_id}/entitlements	GET

As always, please see the program brief for the full details around testing. If you have any questions, please reach out to support@bugcrowd.com.

Get out there and lay claim to those bugs!