Bug Bounty Programme Guidelines

At RoboShadow, we are committed to maintaining the highest standards of security for our users. As part of this commitment, we welcome the responsible disclosure of security vulnerabilities through our Bug Bounty Programme.

This policy outlines the scope, rules, and reward structure for eligible vulnerability submissions.

 

---

Testing Guidelines

To ensure responsible testing and minimal disruption to our services, please follow these rules:

• Scope: Only vulnerabilities affecting https://portal.roboshadow.com & https://api.roboshadow.com are in scope

• Manual Testing Only: Use of automated scanners or tools is strictly prohibited.

• Test Accounts: You must conduct all testing using an account that you have registered on the RoboShadow portal.

 

Reporting Process

All vulnerability reports must be submitted to bugbounty@roboshadow.com and include the following:

• Step-by-step reproduction instructions

• Relevant URLs, parameters, and affected endpoints

• Impact assessment and details of potential exploitation

• Environment information (e.g., browser, OS)

• Proof of concept evidence, preferably via a link to a video demonstration (attachments are not accepted)

 

Review & Triage

Once your report is submitted:

1. A ticket number will be assigned for tracking and communication.

2. The report will be reviewed within 14 days.

3. Vulnerabilities will be evaluated for severity and impact.

4. You will receive a response with the final assessment and any applicable reward offer.

 

Rewards & Payment

Reward amounts are determined at RoboShadow’s discretion and depend on:

• The real-world security risk

• Business impact

• Severity classification (outlined below)
  
  

To process a reward, you must provide:

• A LinkedIn or bug bounty platform profile

• Your full name, address, and bank account details

• A government-issued ID that matches the bank account name

• An invoice issued to RoboShadow for the agreed payment amount
  
  

Rewards are quoted in USD, but paid in your local currency, subject to exchange rates.
Payments are processed within 14 days of confirmation and acceptance of the reward.

 

---

 

Vulnerability Severity & Reward Matrix

>> High Severity — Up to $1,000

These issues may lead to full system compromise or significant data exposure:

• Remote Code Execution (RCE) – Arbitrary code execution on backend servers

• Command Injection – Unfiltered input leading to command-line access

• Malicious File Upload – Uploading files that result in code execution

• Severe SQL Injection – Full access to or modification of database content

• Authentication Bypass (Global) – Gaining access to any user account

• Production Database Access – Direct access or credential exposure, including backups

 

>> Moderate Severity — Up to $500

These vulnerabilities affect core application functionality or user data:

• Stored Cross-Site Scripting (XSS) – Persistent JavaScript payloads, especially in admin contexts

• Server-Side Request Forgery (SSRF) – Forcing server requests to internal or protected systems

• Local File Inclusion (LFI) – Reading sensitive files on the server

• Privilege Escalation – Gaining unauthorized access across roles or user levels

• Session Hijacking / Token Manipulation – Predicting or forging session identifiers

   

>> Low Severity — Up to $100

Lower-risk issues that may still aid overall security posture:

• Reflected XSS – Non-persistent JavaScript execution via URL/form input

• Cross-Site Request Forgery (CSRF) – Unauthorized actions performed on behalf of logged-in users

• Information Disclosure – Leaking technical details like stack traces or version info

• Insecure Direct Object References (IDOR) – Gaining access by manipulating object identifiers

• Business Logic Bugs (Payment up to $50)
  
  

---

 

Excluded Issues

The following are out of scope and not eligible for rewards:

• Bugs affecting non-production systems (e.g., our marketing website, development portals, or external APIs)

• DoS/DDoS attacks

• Brute force or rate-limiting bypasses

• Browser/client-side vulnerabilities

• Social engineering or physical attacks

• Self-XSS or issues only found by automated tools

• Third-party software vulnerabilities

• Password policy or complexity issues

• DNS-related issues (e.g., SPF, missing records)

• Missing or misconfigured security headers

• Lack of 2FA, unless it can be directly bypassed

• Clickjacking with no actual impact

• Phishing attempts

• Marketing or dev site issues

• SPF, .TXT, or DNS record misconfigurations

  
  

Rewards

Here are some reports we have recently rewarded (COMING SOON)

 

Thank You!

We sincerely appreciate your help in keeping RoboShadow secure. Responsible researchers play a key role in safeguarding our platform and users. We look forward to working with you!