We are calling all bug catchers!
Our goal is to make Hyra perfect for everyone. If you feel there are any issues or areas for improvement, we'd love to hear about them!
Detailed bug reports are more likely to be reproduced and therefore more likely to be fixed.
We reward successful bounty hunters with rewards.
P1 - Critical: $100 - $200
P2 - Severe: $50 - $99
P3 - Moderate: $15 - $25
P4 - Low: $5
P5 submissions do not receive any rewards for this programme.
The following properties are in the scope of this programme.
Roblox Centres (without modified source)
All other domains/endpoints other than those listed in the in scope section, are out of the scope.
The target URLs are the same as those used by our real customers, please keep this in mind and act accordingly.
Automated vulnerability scans are strictly prohibited.
No attacks against Hyra's existing user base.
No DDoS attacks
Cross site request forgery on critical actions
Cross site scripting (XSS), including those blocked by our CSP
Remote code execution / shell injection
SQL injection (though typically out of the scope, as SQL is not used in Hyra)
Insecure direct object references
Testing is only authorized on the targets listed as In-Scope. Any domain/property of Intercom not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you happen to identify a security vulnerability on a target that is not in-scope, but that demonstrably belongs to Hyra, it may be reported to this program, and is appreciated - but will ultimately be marked as 'not applicable' and will not be eligible for monetary or points-based compensation.
Payouts above $5.00 can be cashed via PayPal or FPS if you are in the UK. Rewards on the P4 tier will be paid via a Classic Discord Nitro Month or a $5 Roblox Gift Card.
If you a reporting a security vulnerability, please send us a message in the chat or email [email protected].