Banner object (1)

5306 policies in database
  Back Link to program      
Blend logo
Hall of Fame


The Blend platform makes it easy for borrowers to apply for a mortgage from any desktop, tablet, or mobile device. Also, lenders can work in parallel and follow up instantly with additional requests and information.

Since the Blend platform must collect, manage, and protect sensitive user data, such as PII and imported bank account data, we strive to ensure that the platform is as secure as possible. As such, we value (and reward) the responsible disclosure of any vulnerabilities to us.

For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

This program only awards points for VRT based submissions.


In scope

Target name | Type
<> | Website Testing
<> | Website Testing

Out of scope

Target name | Type
<> | API Testing
<> | Website Testing

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Blend not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to before submitting it.

Background Information

The Blend platform is composed of an AngularJS/Express.js front-end and several Express.js microservices connected to various backend databases. The AngularJS/Express.js front-end contains a lender view, which allows lenders to manage loans in the system, and a borrower view, which allows borrowers to complete a mortgage loan application. Lender accounts can only be created by an authorized Admin, but borrower accounts can either be created through self- registration or an invitation email.

This program has been known to generate a large number of emails - please take a moment to set up a filter that will likely help in mitigating the noise created by these messages. Please visit if you need help with this.

Focus Areas

All of the following issues especially if originating from a borrower account (e.g. privilege escalation to a lender from a borrower account, another borrower's sensitive user data from a borrower account, etc.) are of particular interest to us.

  • Authentication bypass
    • Vertical (e.g. obtain lender privilege from borrower account or admin privilege from lender account)
    • Horizontal (e.g. obtain other borrower sessions from one borrower session or lender-lender)
  • Sensitive data exposure (unauthorized disclosure of loan information or other sensitive user data)
  • “root” access to the underlying server(s)
  • Multitenancy exploits
    • Multiple tenants exist within the pentest environment
    • Exposing data or access from one tenant to another

Out of Scope

  • Brute-force DDoS

Security Findings vs. Intended Functionality

The relationship between a lender and a borrower is unique in that lenders are privy to a great deal of sensitive financial information relating to a borrower. Furthermore, lenders within a single organization may need access to the data of the borrowers under other lenders within the same organization. What might initially appear to be a security finding of inappropriate data disclosure may actually be intended functionality when it comes to a lender’s access of borrower data.


  • Create a borrower account by going to the target and clicking Sign Up.
  • Create a lender account using the provided email credentials and triggering a forgot password flow. Note that lender accounts can only be created with email addresses in the domain (e.g.
  • The Blend platform allows you to connect to third-party bank accounts. Use these credentials to test the behavior.
    • Bank account credentials (Please select Bank of America):
    • user/pass: blend_test
    • Two Factor Auth: 1234
    • SSN:
    • any 9-digit number.


Scanning is not permitted since the Blend platform is hosted behind an AWS ELB (AWS policy).

Extra Notes

The "Receives notifications about unassigned loans" role option will generate a lot of email towards any user with that role assigned. If you are interested in testing the functionality of this option, enable the option for a non-Admin role (preferably a newly created role) and assign a user/email address to that role.

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name


Out of Scope

Scope Type Scope Name


This program crawled on the 2019-11-06 is sorted as bounty.

FireBounty © 2015-2020

Legal notices