Curve is a UK based financial services company headquartered in London. The Curve platform allows you to simplify your finances, by centralising how you see, save, send, and spend it.
Curve looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe while banking with us.
For information around the on-boarding into the Curve Program, please see here: https://forms.gle/wQmYhGvfwN1hg2N79
You should not discuss this program or any vulnerabilities (even resolved ones) outside of the program without expressed consent from Curve.
Follow HackerOne's disclosure guidelines.
If you are able to identify a security vulnerability (e.g., executing an attack and gaining access to our systems, accounts, or any other type of sensitive data), we ask that you do not leak data or damage the integrity of our systems and immediately report the issue privately to us via this program. Specifically, this means you agree to the below points:
Welcome to the Curve Bug Bounty Program, great to have you onboard. There is some initial setup before you get started, we will try to make this as smooth as possible so you can get going.
Curve will make a best effort to meet the following SLAs for hackers participating in our program:
We’ll try to keep you informed about our progress throughout the process.
Eligibility is limited to the in-scope domains and applications listed at the bottom of this page. Valid vulnerabilities on any domain not explicitly listed as in scope will be accepted but are ineligible for a cash reward (eligible for other rewards). Note that bugs in third party components only qualify if we determine that they can be used to successfully exploit Curve. Researchers must be the first to identify and report a previously unknown vulnerability to be eligible for an award.
Vulnerability reports must be submitted to Curve via HackerOne.
Vulnerabilities found in third party apps integrating with the Curve API should be reported to the responsible developer. You should only report vulnerabilities found in third party apps to Curve under this program if you do not receive a satisfactory response from the responsible developer. Vulnerabilities in third party apps are not eligible for cash rewards, but we do appreciate being made aware of them.
The following types of vulnerabilities are not eligible under this program:
If you have any questions about the rules and scope of the bounty program, you can email us at email@example.com.
Any activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. You agree to provide your contact information to Curve or for HackerOne to exchange such information with us, should we ask for it.
Thank you for helping keep Curve and our users safe!
|Scope Type||Scope Name|
This program crawled on the 2020-01-21 is sorted as bounty.