R0Y Bug Bounty Program

R0Y welcomes security researchers and engineers to help identify real, high-impact security vulnerabilities in our platform. We receive a large volume of low-quality or speculative reports; this program exists to reward serious, technically sound, and responsible disclosures only.

We are only reviewing and rewarding high-risk security vulnerabilities that materially affect R0Y users, systems, or infrastructure.

Rewards

Compensation varies (e.g. up to $500 or more depending on severity). Rewards depend on:

  • Severity and real-world impact
  • Exploitability
  • Quality, clarity, and completeness of the report

Rewards are issued at R0Y’s sole discretion.

Submission Guidelines

1. Eligibility

We accept reports for:

  • Security vulnerabilities in R0Y applications, services, APIs, infrastructure, or internal systems
  • Previously unreported issues (first valid submission only)
  • Vulnerabilities not already known or scheduled on our internal roadmap
  • Clear documentation with reproducible steps

2. Submission Process

Submit your findings using the secure form below. To remain eligible for payment, all public disclosures must be removed immediately upon submission.

Publicly exposing vulnerabilities before remediation puts R0Y and its users at risk and voids eligibility for rewards.

3. Required Information

Each submission must include:

  • Clear description of the vulnerability
  • Step-by-step reproduction instructions
  • Supporting evidence (screenshots, videos, PoC code, logs)
  • Impact assessment (what breaks, who is affected, worst-case scenario)
  • Suggested mitigation or fix (if known)
  • Contact information for follow-up and payout

Incomplete or speculative reports will be ignored.

Responsible Disclosure Policy

By submitting a vulnerability to R0Y, you agree to:

  • Keep all vulnerability details strictly confidential
  • Not exploit the vulnerability beyond proof-of-concept validation
  • Delete any accessed data immediately after testing
  • Remove any public disclosure of the vulnerability as a condition of payment
  • Allow R0Y reasonable time to investigate and remediate before any disclosure

Failure to comply disqualifies the submission.

Scope

We only review high-risk security vulnerabilities. The following are out of scope and not eligible for rewards:

  • Denial-of-service (DoS / DDoS) attacks
  • Rate-limit issues without demonstrated impact
  • Basic domain, DNS, or IT hygiene issues
  • Spam, phishing, or social engineering attacks
  • Physical attacks or in-person social engineering
  • Vulnerabilities in third-party services not owned or maintained by R0Y
  • Issues requiring physical access to a user’s device

Evaluation Process

Our security team reviews valid submissions and aims to respond within 5 business days. Reports are evaluated based on: severity and user/system impact; technical depth and clarity; novelty; ease of exploitation and attack surface. Duplicate reports receive no reward.

Submission Form

Submit vulnerabilities securely using the form below:

Bug Bounty Form

Please submit verified security findings through this secure form. R0Y follows responsible disclosure standards. Do not publicly disclose vulnerabilities. Our team will validate, reproduce, and remediate confirmed issues. Valid reports typically receive a response within 5 business days.

Full Name *

Email *

Vulnerability Title *

Brief, specific summary of the issue

Detailed Report *

Include a clear description of the vulnerability, affected components, and observed behavior.

Steps to Reproduce *

Provide precise, ordered steps so the issue can be reliably reproduced.

Impact Assessment (Select all that apply)

  • Low — cosmetic issue or minor logic flaw
  • Medium — functional inconsistency or partial failure
  • High — security vulnerability or critical system exposure

Additional Info

Optional context, logs, links, or mitigation ideas.

Payout Method (Venmo, PayPal, or Zelle) *

Enter the handle or email associated with your preferred payout method.

Disclosure Confirmation *

I confirm that I have removed all public disclosures of this vulnerability and have not shared sensitive details publicly.

I confirm

Never submit passwords, private keys, access tokens, or other sensitive personal data through this form.

Submit

For questions related to the bug bounty program, contact our contact form.

Thank You

We respect good security work. If you find something real, document it properly, and disclose it responsibly, we will pay you.

Low-effort noise will be ignored.

R0Y is in construction. We'll send an email when we're back online.