We work hard to keep You Need a Budget secure, and make every effort to keep on top of the latest threats by working with security researchers and companies. If you think we've made a security mistake or have a vulnerability, please tell us right away. If you're the first to alert us and it leads to us making a change, we'll pay you a reward.
(Actually, we hope you can't find any of this, but you know what we mean.)
The objective is to discover vulnerabilities in our web application and API.
Of particular interest are:
We classify all submissions based on Bugcrowds Vulnerability
Taxonomy. P1s are scary,
and we pay the maximum for those. On the other hand, P5s are considered
"recommended practices", and we intentionally don't follow all
recommendations. However, if you submit a P5 and we change our code as a
result of your submission, it will be bumped to a P4, and paid out
Note: Please don't pretend your issue is more severe than it is when describing it. It will lead to lost trust and higher frustration, but it never leads to higher payouts!
Last updated 19 Jul 2019 19:39:32 UTC
Technical severity | Reward range
p1 Critical | $2,100 - $2,100
p2 Severe | $1,350 - $1,350
p3 Moderate | $800 - $800
p4 Low | $250 - $250
P5 submissions do not receive any rewards for this program.
Target name | Type
<https://staging-app.youneedabudget.com/> | Website
Other youneedabudget.com domains not listed | Website
Target name | Type
<https://support.youneedabudget.com> | Website
<https://app.youneedabudget.com/> | Website
<https://docs.youneedabudget.com/> | Website
<https://forum.youneedabudget.com/> | Website
Any previous version of the desktop apps: YNAB 4, YNAB 3, YNAB Pro, YNAB
Basic (Spreadsheet) | Other
Any host verified to be owned by You Need a Budget is in scope [as of August 1st, 2017 2:00 PM PDT], except for the above and below out-of-scope exceptions:
Web app and API (Staging)
This is both our Single Page Application, as well our private API endpoint, and both are targets. You will see the API endpoint being used when you fire up the app in your browser. Note that our native mobile applications are not currently in scope, but the API endpoints and the way they use the API is in scope. In other words, if you find they are using an API endpoint that is insecure, or can be abused in some way, that is in scope.
This is a Wordpress-hosted site. It's not high risk since we don't store much information there, and it is separate from our app, but findings are still appreciated.
2FA Sign in
YNAB is very interested in getting testing on the new feature and is offering a $500 bonus for the first P1 submitted against the 2FA feature
Any other host verified to be owned by You Need a Budget, like *.youneedabudget.com, is in scope except for those noted above.
Bugcrowd's standard disclosure terms always apply.
Here are some of our favorite rules:
1: Do NOT mess with accounts you don't control. You can create multiple testing accounts if you need to test information leakage between them.
2: Do NOT run aggressive automated scans. They're noisy and look a heck of a lot like a real attack. You run the risk of being locked out of our systems.
3: Do NOT DoS or DDoS us.
4: Do NOT try to break into our offices or perform social engineering on our employees.
5: Do NOT mess with our customers.
The following issues won't be considered for a bounty:
The following are known or are considered by design:
email@example.com. If you need to sign up for another account, you can do so with
firstname.lastname@example.org, and so on. Please don't create more accounts than you truly need. We recommend 2 accounts per researcher. When those trials run out, you can create two more.
When conducting vulnerability research according to this policy, we consider this research to be:
Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy;
Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our official channels before going any further.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
This bounty requires explicit permission to disclose the results of a
This program does not allow for pivoting via the use/exploitation of issues found during testing.
|Scope Type||Scope Name|
Other youneedabudget.com domains not listed
|Scope Type||Scope Name|
Any previous version of the desktop apps: YNAB 4, YNAB 3, YNAB Pro, YNAB Basic (Spreadsheet)
On this program you get up to 2100 $ for the most critical vulnerability.