Under Armour AppSec
Our Mission:
Our Brand is about energy and passion. It’s about an obsession with Fighting On Together* to be stronger and more powerful - to Always Connect. We believe in Thinking Beyond to invent, innovate, and Create Fearlessly. We believe in staying connected To Athletes and know that adversity even in the digital world can bring us together. We know that the world expects great things from Under Armour and that daring to lead means thinking beyond. Our Brand Voice has always been simple and bold, as illustrated in our earliest commercial spot from 2003, rallying an entire generation of athletes to PROTECT THIS HOUSE***.
Under Armour Mission & Values
We want to engage the security research community as partners & teammates to Stay True, protect our athletes, and protect their data. Doing so enables our Global Community of athletes to Celebrate their Goals within the largest digital health & fitness community in the world.
| Bug Type | Original Priority Rating | Under Armour Priority Rating |
|---|---|---|
| A1 - Injection File – Inclusion – Local | P1 | P3 |
| A1 - Injection – XML External Entity Injection (XXE) | P1 | P2 |
| A3 - Cross-Site Scripting (XSS) – Stored | P2 | P3 |
| A5 – Security Misconfiguration Misconfigured – DNS -With POC (High Impact Subdomain Takeover) | P2 | P3 |
| A5 – Security Misconfiguration Misconfigured – DNS -With POC ( Basic Subdomain Takeover) | P3 | P4 |
| A5– Sensitive Misconfiguration – Weak Password Policy – Complexity, Both Length and Char Type Not Enforced | P3 | P5 |
| A5 – Security Misconfiguration – Lack of Password Confirmation - Change Email Address | P4 | P5 |
| A5 – Security Misconfiguration – Lack of Password Confirmation - Change Password | P4 | P5 |
| A5 – Security Misconfiguration – Lack of Password Confirmation - Delete Account | P4 | P5 |
| A5 – Security Misconfiguration – Unsafe File Upload – No Antivirus | P4 | P5 |
| A5 – Security Misconfiguration – Unsafe File Upload – No Size Limit | P4 | P5 |
| A5 – Security Misconfiguration – Weak Password Policy – Complexity, Length Not Enforced | P4 | P5 |
| A5 – Security Misconfiguration – Weak Password Policy – Complexity, Char Type Not Enforced | P4 | P5 |
| A5 – Security Misconfiguration – Weak Reset Password Policy – Token is Not Invalidated After Use | P4 | P5 |
| A5 – Security Misconfiguration – Captcha Bypass –Implementation Vulnerability | P4 | P5 |
| A6 – Sensitive Data Exposure – EXIF Geolocation Data Not Stripped From Uploaded Images – Automatic User Enumeration | P3 | P5 |
| A6 – Sensitive Data Exposure – EXIF Geolocation Data Not Stripped From Uploaded Images –Manual User Enumeration | P4 | P5 |
| A7 – Missing Function Level Access Control – Username Enumeration – Data Leak | P4 | P5 |
| A9 – Using Components with Known Vulnerabilities – Rosetta Flash – With POC | P4 | P5 |
| A10 – Sensitive Data Exposure – Private API Keys – No POC | P1 | P5 |
| B1 – Application-Level Denial-of-Service (DoS) – Low Impact anf/or Medium Difficulty – Password Length DoS (Server-Side) | P4 | P5 |
| M2 – Insecure Data Storage – Credentials Stored Unencrypted - On External Storage | *Sensitive Data Only | |
| M2 – Insecure Data Storage – Sensitive Application Data Stored Unencrypted – On External Storage | *UA Definition |
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.
| Scope Type | Scope Name |
|---|---|
| android_application | MapMyFitness Android |
| android_application | UA Shop Android |
| ios_application | MapMyFitness iOS |
| ios_application | UA Shop iOS |
| undefined | UA HOVR Equipped running shoe that you own or have authorization to test |
| web_application | https://www.mapmyfitness.com |
| web_application | https://www.mapmyrun.com |
| web_application | https://www.mapmyride.com |
| web_application | https://www.mapmywalk.com |
| web_application | mapmyfitness.api.ua.com |
| web_application | https://www.underarmour.com |
| web_application | https://www.underarmour.co.uk |
The progam has been crawled by Firebounty on 2018-05-29 and updated on 2019-08-23, 396 reports have been received so far.
FireBounty © 2015-2024
