Pin or enable your RoboForm extension.
Pin the extension
or
Enable
Introduction RoboForm places a strong emphasis on security and openness. We recognize that coordinated, responsible disclosure of vulnerabilities plays an important role in protecting our users and improving the overall cybersecurity ecosystem. This policy describes how security issues in RoboForm products and services should be reported and how they are managed, following established industry standards and best practices, including guidance from the Cybersecurity and Infrastructure Security Agency (CISA). Scope This program applies to RoboForm-owned products and services, including: ● RoboForm desktop applications. ● Mobile applications. ● Browser extensions. ● Web services, APIs, and official RoboForm domains. Out of scope: ● Third-party services or platforms not owned or controlled by RoboForm. ● Issues requiring physical access to a device. ● Self-XSS or vulnerabilities affecting only the reporting user without broader impact. ● Best practice recommendations without a demonstrated security impact. Authorization & Safe Harbor RoboForm authorizes security research conducted in good faith and in accordance with this policy. RoboForm will not pursue legal action against individuals or organizations for activities that: ● Are performed solely for the purpose of identifying and reporting security vulnerabilities. ● Comply fully with this policy and applicable laws. ● Do not involve unauthorized access to, or exposure of, user data beyond what is strictly necessary to demonstrate the vulnerability. ● Do not disrupt, degrade, or compromise the integrity or availability of RoboForm services. This safe harbor does not apply to activities that: ● Violate applicable laws or regulations. ● Involve data exfiltration, persistence, or lateral movement beyond proof of concept. ● Include social engineering, phishing, or physical attacks. ● Exceed the scope or intent of responsible security research. Responsible Disclosure Requirements Participants must: ● Notify us as soon as possible after you discover a real or potential security issue. ● Act in accordance with recognized ethical hacking standards. ● Avoid accessing, modifying, or exfiltrating user data. ● Not exploit vulnerabilities beyond what is strictly necessary to demonstrate their existence. ● Not publicly disclose any vulnerability without prior written authorization from RoboForm. ● RoboForm may coordinate disclosure timelines after remediation is completed. The following activities are strictly prohibited: ● No automated scanning or testing that degrades, disrupts, or negatively impacts service performance. ● No brute-force attacks, credential stuffing, or attempts to gain unauthorized access. ● No data scraping, harvesting, or bulk extraction of information. ● No testing on accounts, systems, or data that you do not own or do not have explicit authorization to use. Failure to comply with these requirements may result in disqualification and potential legal action. Submission Process All vulnerability reports must be submitted via RoboForm’s support system Each submission must include, at a minimum: ● A clear and detailed description of the vulnerability. ● Step-by-step reproduction instructions. ● Supporting evidence (e.g., screenshots, logs, proof-of-concept code). ● An assessment of potential impact. Incomplete or unclear submissions may delay evaluation or be deemed ineligible. Review & Evaluation ● RoboForm will acknowledge receipt and begin review within 10 business days. ● Each report will be evaluated based on: ○ Severity (Criticality) ○ Exploitability ○ Impact on confidentiality, integrity, and availability RoboForm retains sole discretion in determining the validity, severity classification, and eligibility of each submission. RoboForm does not guarantee a specific timeline for remediation of reported vulnerabilities. Reward Structure Reward amounts are determined at RoboForm’s sole discretion and may be adjusted based on quality, impact, and report completeness. Reward amounts may vary depending on the severity of the vulnerability reported. RoboForm reserves the right to decide if the minimum severity threshold is met and whether the vulnerability was previously recorded. Eligibility & Limitations Rewards are subject to the following conditions: ● Only previously unknown, reproducible vulnerabilities are eligible. ● Duplicate submissions are not eligible for additional rewards. ● Multiple vulnerabilities chained within a single report may be treated as a single submission for reward purposes. ● The first valid reporter of a vulnerability is eligible for reward consideration. ● RoboForm employees, contractors, and affiliates are not eligible. ● Testing must comply with all applicable laws and regulations. Reservation of Rights RoboForm reserves the right to: ● Modify, suspend, or terminate this program at any time. ● Determine eligibility and reward amounts at its sole discretion. ● Decline any submission that does not meet the requirements of this policy.