Notice: This program has been temporarily shutdown. Once it is re-opened, we will post here. Thank you.
Bounty Hunter Program
- Program Overview
- Rules of Engagement
- Excluded Vulnerabilities
- Submission Review Process
- Other Notes on Submission Eligibility
- Disclosure
- Researcher Privacy
- Accountability
- Changes to the Terms
- Contact
Program Overview
- We are offering a “bug” bounty program for monetary rewards to “ethical hackers” for successfully discovering and reporting a vulnerability or bug to the Bankful application developers.
- The relationship of Bankful and the Bounty Hunter is that of independent contractors. Neither party nor such party’s employees, consultants, contractors, or agents are agents, employees, partners, or joint ventures of the other party, nor do they have any authority to bind the other party by contract or otherwise to any obligation. They will not represent to the contrary, either expressly, implicitly, by appearance, or otherwise.
- Our reward rates are determined after a review of submitted reports by one of our engineers who is aware of our system and business model. To understand our process and payout, please refer to the table below named “The Priority Determination Table Based on Urgency and Impact.”
- We are not obligated to accept your submission, as we cannot guarantee we have the bandwidth to review and payout your bounty in a timely manner. It is at the discretion of the company to accept or reject a bounty hunter’s submission. If you are not willing to risk a lower compensation or no compensation, then please do not submit the work.
- What may be reported critical by a Bounty Hunter, may not be deemed critical by our engineer. If you feel your contribution to be undervalued, you can request an escalation for a manager to review. Escalations are limited to one request per Bounty Hunter/Company per three-month period.
Criteria | ||
Severity of the Vulnerability: Assess the potential impact and severity of the reported vulnerability. Critical or high-risk vulnerabilities that could lead to significant security breaches should be compensated more than lower-severity issues. | ||
Exploitability: Evaluate how easily an attacker could exploit the vulnerability. If it is relatively straightforward to exploit, it may warrant higher compensation. | ||
Scope of Impact: Consider the scope of the vulnerability’s impact. Vulnerabilities affecting a large number of users, sensitive data, or critical systems may justify higher compensation. | ||
Quality of Report: Assess the clarity, detail, and completeness of the submission. A well-documented and comprehensive report helps security teams understand and address the vulnerability effectively. | ||
Novelty and Originality: Reward original and innovative submissions. Ethical hackers who discover unique vulnerabilities or unconventional attack vectors may deserve higher compensation. | ||
Responsiveness and Collaboration: Consider the ethical hacker’s responsiveness and willingness to work with your team to verify and address the vulnerability. Cooperation and collaboration are valuable qualities in an ongoing security partnership. | ||
Adherence to Terms and Policies: Ensure the submission aligns with the established guidelines, terms, and policies set for the bug bounty program or vulnerability reporting. | ||
Impact on Business: Assess the potential business impact of the vulnerability. For example, a vulnerability that could lead to a significant financial loss may warrant higher compensation. |
Points | Points |
Severity of the Vulnerability | 1-20 |
Exploitability | 1-10 |
Scope of Impact | 1-10 |
Quality of Report | 1-10 |
Novelty and Originality | 1-10 |
Responsiveness and Collaboration | 1-10 |
Adherence to Terms and Policies | 1-10 |
Impact on Business | 1-20 |
Points Range | Payout Amount |
1-20 | $20 – $100 |
21-40 | $150 |
41-60 | $150-250 |
61-80 | $1,000 |
81-100 | $2,000 |
Rules of Engagement
Your participation in our program is voluntary and subject to the following:
- Your submission must include a working Proof of Concept to be considered for a reward.
- Avoid harm to others’ data and privacy. Specifically:
- If you encounter any personal data or sensitive information in the course of your research, stop and notify our team immediately so we can investigate. Please report to us what data was accessed and delete the data. Do not save, copy, download, transfer, disclose, or otherwise use this data. Continuing to access others’ data or otherwise failing to adhere to this requirement will disqualify you from participating in the Program.
- If your research is designed to identify and demonstrate a vulnerability that could allow unauthorized access to personal data or sensitive information, make sure to take measures to minimize your access to or usage of such data to what is absolutely necessary to achieve those purposes (i.e., identification and demonstration of a vulnerability that could allow unauthorized access to personal data or sensitive information). For example, if you are injecting code into Bankful’s environment to test whether you could exfiltrate data from a Bankful database, limit the potential exfiltration to the first three rows and five columns of the table rather than the entire database.
- If, even after taking measures to minimize access to personal data or sensitive information, you ultimately end up encountering such data in the course of your research, follow the mitigation measures described above.
- Do not leverage the existence of a vulnerability or access to personal data or sensitive information to make threats or extortionate demands. Do not degrade, interrupt, or deny services to our users or take any actions that can affect the availability or integrity of Bankful’s systems and data (e.g., modifying or deleting data). If you notice service degradation or interruption, stop your research and notify us immediately.
- Do not incur loss of funds that are not your own.
- If you are performing research, use your own accounts to do so. Do not interact with other Bankful users’ accounts. See the “Creating Accounts for Vulnerability Research” section below for more detail.
- By reporting a vulnerability, you grant Bankful and its affiliates a perpetual, irrevocable, worldwide, royalty-free license to use, copy, adapt, develop, and create derivative work from, or share your submission for any purpose. You waive all claims, including breach of contract or implied-in-fact contract, arising out of your submission.
- By reporting a vulnerability, you also agree to allow HackerOne to share with Bankful information relating to your tax forms so that Bankful can perform compliance checks.
- You will be responsible for any tax implications related to any bounty payment you receive, as determined by the laws of your jurisdiction.
- Whether to provide a reward for your submission, the amount of the reward and your eligibility to participate in the Program are entirely at our discretion.
- We consider only the earliest, responsibly disclosed submission of a vulnerability instance with enough actionable information to identify the issue for a reward. All other reports for a given issue will not be eligible for a reward under our Program.
- Your research must not violate any applicable laws or regulations.
Excluded Vulnerabilities
The following are examples of vulnerabilities that fall outside the scope of the Bankful Bug Bounty Program:
- Account squatting by preventing users from registering with certain email addresses.
- Attacks requiring MITM (Man-in-the-Middle) or physical access to a user’s device.
- Best practice reports lacking a valid exploit, such as the use of “weak” TLS ciphers.
- Clickjacking on pages that don’t perform sensitive actions.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Content spoofing and text injection issues without showing an attack vector or without the ability to modify HTML/CSS.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms without sensitive actions.
- Denial of service attacks.
- Disclosure of server or software version numbers.
- Hypothetical subdomain takeovers without supporting evidence.
- Issues dependent on unlikely user interactions.
- Missing best practices in Content Security Policy.
- Missing best practices in SSL/TLS configuration.
- Missing email best practices (e.g., invalid, incomplete, or missing SPF/DKIM/DMARC records).
- Missing HttpOnly or Secure flags on cookies.
- Open redirects unless an additional security impact can be demonstrated.
- Perceived security weaknesses without concrete evidence of the ability to compromise a user (e.g., missing rate limits, headers, etc.).
- Previously known vulnerable libraries without a working Proof-of-Concept.
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month (will be assessed on a case-by-case basis).
- Rate-limiting or brute-force issues on non-authentication endpoints.
- Reports exploiting the behavior of outdated browsers or vulnerabilities in outdated browsers.
- Reports of spam.
- Self-XSS (Self Cross-Site Scripting).
- Session invalidation or other improved security related to account management when a credential is already known (e.g., password reset link not immediately expiring, adding MFA not expiring other sessions, etc.).
- Social engineering attempts.
- Software version disclosure, banner identification issues, or descriptive error messages or headers (e.g., stack traces, application or server errors).
- Tabnabbing.
- URLs indexed by web crawlers or archivers (e.g., receipt URLs in Wayback).
- Unconfirmed reports from automated vulnerability scanners.
- Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version).
Submission Review Process
After a submission is sent to Bankful, in accordance with the Rules of Engagement described above, Bankful engineers will review the submission and validate its eligibility for a reward. The review time could vary depending on the complexity and completeness of your submission, as well as on the number of submissions we receive.
As explained in the Rules of Engagement, Bankful retains sole discretion in determining which submissions are qualified for a reward. If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first eligible submission.
Other Notes on Submission Eligibility
- Please note that we do accept and reward submissions for valid cross-site scripting vulnerabilities even if they are not accompanied by a bypass of our content security policy. Cross-site scripting vulnerabilities without a content security bypass will be assessed at a lower severity level than those with a bypass
- If submitting an XSS vulnerability without a CSP bypass, please demonstrate the impact by manually disabling the CSP in your web browser. This can be done via browser extensions or Burp/proxy match-and-replace rules
- We will not consider reports concerning user role permissions for reward unless the report demonstrates a clear and obvious security risk or that a role can do something that is explicitly prohibited in our documentation. Availability of functionality to a role through the API but not the Dashboard UI will not be considered as a permission issue.
Bankful, in its sole discretion, determines whether a vulnerability could be exploited to enable fraudulent activity and qualifies for the bonus. As a reminder, you must use your own accounts to conduct any research and not interact with other Bankful users’ accounts. For further information, please refer to the “Rules of Engagement” section of our policy, or reach out to bugbounty@Bankful.com with any questions.
Disclosure
By participating in this program, you agree not to publicly or privately disclose the contents of your submission, your findings, your communications with Bankful related to your participation in the Program, or any facts you have learned about Bankful in the course of your participation in the Program to any third party without Bankful’s prior written approval. There are no exceptions.
Researcher Privacy
To protect your privacy, we will not, unless served with legal process or to address a violation of this policy:
- Share your personally identifiable information with third parties
- Share your research without your permission
- Share your participation without your permission
Accountability
Bankful reserves the right to disqualify you from participating in the Program if you violate the Rules of Engagement or other rules specified in this program policy, including the rules about disclosure.
Changes to the Terms
We may change the Terms at any time. Participating in the Program after the changes become effective means you agree to the new Terms. If you don’t agree to the Terms, you must not participate in the Program.
Contact
Feel free to submit any comments or questions about our program to bugbounty@bankful.com.