Security or Bug Bounties

Looking for Bugs or Security Issues?

As an online company we are always looking to identify and correct bugs in our system, and we do pay bounties for security vulnerabilities that are reported to us. The amount paid varies based on the severity of the vulnerability.

  • If you have already found one, please email the details to marketplace-security@roll20.net, but make sure to read the notes and instructions below.
  • If you plan to probe for vulnerabilities, do not probe our live site.

Please perform all penetration testing at http://oldpentest.drivethrurpg.com and also https://newpentest.drivethrurpg.com. Those are the only domains and subdomains that you should test, and we are more interested in vulnerabilities on the "newpentest" site, because that is our newer codebase which will be replacing the old one. We only give minimal payouts for the older codebase, unless it is a critical flaw.

Note that we pay bounties for actual site bugs and vulnerabilities, but not "best practices" issues. As just one example: not invalidating sessions after a password reset is considered a "best practice" issue, not a security bug, so therefore we do not pay a bounty for it. Another example of a best practice issue would be rate limiting. We do pay for SQL injection vulnerabilities, IDOR vulnerabilities, XSS vulnerabilities, CSRF vulnerabilities on critical forms, etc.

Please report any bugs you find to marketplace-security@roll20.net, with complete steps to reproduce and as well as a video showing the vulnerability in action. Please copy and paste any payloads that you submit via Burp suite (or similar tools), so that we are able to reproduce. You need to demonstrate a full exploit in action; you cannot just tell us about an exploit, you must show a full proof of concept to be eligible for bounties.

We perform all payouts via PayPal. We are unable to pay via wire transfer, or anything other than PayPal.

Was this article helpful?
5 out of 6 found this helpful