Robot Bug Bounty Program

Acutronic Robotics' H-ROS SoM
Bounty Brief


Description:

Acutronic Robotics delivers high quality real-time compliant modular robot solutions for professional and industrial applications. They envision a future where building, maintaining or extending robots is simplified. Robot modules that could be easily exchanged regardless of the original manufacturer. Flexible and adaptable machines able to respond to new demands.

This Robot Bug Bounty Program is focused on their modularity solutions. Particularly, on the H-ROS™ System on Module (SoM), a tiny device for building industrial grade plug-and-play robot modules. The SoM delivers a complete package that provides security, automatic updates, a high speed (Gigabit Ethernet), synchronous and real-time capable communication bus, a Real-Time Operating System and an enhanced ROS 2.0 setup. Altogether, the H-ROS™ SoM simplifies the process of integrating robot parts into the modern robot ecosystem and reduces the costs and time to market. The SoM also integrates a variety of sensors and power mechanisms that allow to manage the hardware and software lifecycle of the resulting robot module. In addition, its flexible architecture and reconfigurable I/O (RIO) simplifies the interface with a wide variety of robot parts that use different communication buses.

Table of contents: Rules and guidelines:

The expected behavior of all members participating or making use of any of the services related or provided by Alias Robotics is defined at Code of Conduct.

Violation of any of these rules can result in ineligibility for a bounty and/or removal from the program.

Legal:

In connection with your participation in this program you agree to comply with all applicable local and national laws. The Customer (Acutronic Robotics) reserves the right to change or modify the terms of this program at any time.

In connection with your participation in this program you agree to comply with all applicable local and national laws. The Customer (Acutronic Robotics) reserves the right to change or modify the terms of this program at any time.

Acutronic Robotics employees and contingent workers, as well as their immediate family members and persons living in the same household, are not eligible to receive bounties or rewards of any kind under any Acutronic Robotics programs, whether hosted by Acutronic Robotics or any third party.

Disclosure:

While Alias Robotics believes public disclosure to be an important part of the vulnerability reporting ecosystem and encourage our Clients to disclose issues once a fix is released, we support that our customers also maintain individual disclosure policies.

Acutronic Robotics default disclosure policy is Nondisclosure. Under this policy, Researchers are required to receive explicit permission to publicly disclose any submission, including those reported as Duplicate, Out-of-Scope or ‘N/A.’

For further details about disclosure, refer to our disclosure terms.

Reporting and triage:

If our security team cannot reproduce and verify an issue (triage), a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:

  • Description of the vulnerability
  • Steps to reproduce the reported vulnerability
  • Proof of exploitability (e.g. screenshot, video)
  • Perceived impact to another user or the organization
  • Proposed RVSSv1 vector and score (please, don’t include environmental and temporal modifiers unless properly justified)
  • List of subsystems affected
  • Additional payloads (exploits) and Proof-of-Concept code
  • Firmware version or robot/part serial number used during testing

Note: Failure to adhere to these minimum requirements may result in loss of reward.

Triage may take up to one month in some cases or more depending on the level of description of the original report. Please make sure to include as much information as possible to facilitate the process. Our team will be communicating directly with you so we ask you to make sure your e-mail address is valid within your Profile section. If you have questions, feel free to contact us at contact at aliasrobotics.com.

Scope:

Bugs or vulnerabilities for other robots or robot components should be reported to the program to which it belongs. Please see our detailed attack surface below. The attack surface is described by the corresponding attack vectors. For a full list of assets that are out of scope, see “Do not report” section below.

This list is subject to change without notice. If you’ve found a vulnerability or a bug that affects an asset belonging to the same company, but is not included as in scope on any of the H-ROS™ SoM program, please report it to this program.

Attack Surface table:

Attack Vector Description
Robot framework (ROS 2.0) attacks Attacks affecting the inner ROS 2.0 framework including the ad hoc communications middleware.
Operating System (OS) attacks Attacks to the underlying Linux operating system
External ports attacks Bugs or vulnerabilities affecting the external ports exposed through SoM’s pinout and Reconfigurable I/O (RIO)

Rewards:

We compensate both bugs and vulnerabilities however, for a higher reward, we recommend researchers to pursue vulnerability reports which exploit detected bugs and include the corresponding exploit.

Severity Payout
Bugs in "Robot framework (ROS 2.0) attacks" Up to 100 €
Operating System (OS) attacks Up to 100 €
External ports attacks Up to 100 €

Note: Non-listed vulnerabilities may also be eligible. Some vulnerability types may fall under a variety of severity ratings determined by scope/scale of exploitation and impact.

Severity RVSS Payout
Critical 10.0 - 9.0 Up to 5,000 €
High 8.9 - 7.0 Up to 3,000 €
Medium 6.9 - 4.0 Up to 500 €
Low 3.9 - 0.0 Up to 100 €
Do not report:

The following issues are considered out of scope:

  • Those that resolve to third-party services
  • Issues that do not affect the latest version of the firmware of the robot or robot component
  • Issues that we are already aware of or have been previously reported
  • Issues that require unlikely user interaction
  • General best practice concerns

Accepted bugs and vulnerabilities:

We are working to make it public. Stay tuned. We’ll be back soon.