PURSUIT OF INNOVATION.
Our Brand is about energy and passion. It’s about an obsession with Fighting On Together to be stronger and more powerful - to Always Connect. We believe in Thinking Beyond to invent, innovate, and Create Fearlessly. We believe in staying connected To Athletes and know that adversity even in the digital world can bring us together. We know that the world expects great things from Under Armour and that daring to lead means thinking beyond.
Our Brand Voice has always been simple and bold, as illustrated in our earliest commercial spot from 2003, rallying an entire generation of athletes to PROTECT THIS HOUSE.
We want to engage the security research community as partners & teammates to Stay True , protect our athletes, and protect their data. Doing so enables our Global Community of athletes to Celebrate their Goals within the largest digital health & fitness community in the world.
Under Armour Mission & Values
Bug Type | Original Priority Rating | Under Armour Priority Rating
A1 - Injection File – Inclusion – Local | P1 | P3
A1 - Injection – XML External Entity Injection (XXE) | P1 | P2
A3 - Cross-Site Scripting (XSS) – Stored | P2 | P3
A5 – Security Misconfiguration Misconfigured – DNS -With POC (High Impact Subdomain Takeover) | P2 | P3
A5 – Security Misconfiguration Misconfigured – DNS -With POC ( Basic Subdomain Takeover) | P3 | P4
A5– Sensitive Misconfiguration – Weak Password Policy – Complexity, Both Length and Char Type Not Enforced | P3 | P5
A5 – Security Misconfiguration – Lack of Password Confirmation - Change Email Address | P4 | P5
A5 – Security Misconfiguration – Lack of Password Confirmation - Change Password | P4 | P5
A5 – Security Misconfiguration – Lack of Password Confirmation - Delete Account | P4 | P5
A5 – Security Misconfiguration – Unsafe File Upload – No Antivirus | P4 | P5
A5 – Security Misconfiguration – Unsafe File Upload – No Size Limit | P4 | P5
A5 – Security Misconfiguration – Weak Password Policy – Complexity, Length Not Enforced | P4 | P5
A5 – Security Misconfiguration – Weak Password Policy – Complexity, Char Type Not Enforced | P4 | P5
A5 – Security Misconfiguration – Weak Reset Password Policy – Token is Not Invalidated After Use | P4 | P5
A5 – Security Misconfiguration – Captcha Bypass –Implementation Vulnerability | P4 | P5
A6 – Sensitive Data Exposure – EXIF Geolocation Data Not Stripped From Uploaded Images – Automatic User Enumeration | P3 | P5
A6 – Sensitive Data Exposure – EXIF Geolocation Data Not Stripped From Uploaded Images –Manual User Enumeration | P4 | P5
A7 – Missing Function Level Access Control – Username Enumeration – Data Leak | P4 | P5
A9 – Using Components with Known Vulnerabilities – Rosetta Flash – With POC | P4 | P5
B1 – Application-Level Denial-of-Service (DoS) – Low Impact anf/or Medium Difficulty – Password Length DoS (Server-Side) | P4 | P5
M2 – Insecure Data Storage – Credentials Stored Unencrypted - On External Storage | Sensitive Data Only |
M2 – Insecure Data Storage – Sensitive Application Data Stored Unencrypted – On External Storage | UA Definition |
This program only awards points for VRT based submissions.
Target name | Type
<https://www.mapmyfitness.com> | Other
<https://www.mapmyrun.com> | Other
<https://www.mapmyride.com> | Other
<https://www.mapmywalk.com> | Other
<https://www.myfitnesspal.com> | Other
<https://record.underarmour.com/> | Other
mapmyfitness.api.ua.com | Other
api.myfitnesspal.com/v2/ | Other
UA Gemini Record Equipped running shoe that you own or have authorization to
test | Other
UA HOVR Equipped running shoe that you own or have authorization to test |
<https://www.endomondo.com/> | Website
Endomondo iOS | iOS
Endomondo Android | Android
MapMyFitness iOS | iOS
MapMyFitness Android | Android
MyFitnessPal iOS | iOS
MyFitnessPal Android | Android
UA Record iOS | iOS
UA Record Android | Android
UA Shop iOS | iOS
UA Shop Android | Android
<https://www.underarmour.com> | Website
<https://www.underarmour.co.uk> | Website
Any Under Armour domain/property not listed above is out of scope for this engagement.
Due to athlete & business needs, certain dates will be off-limits for active security testing. This list will be updated regularly, so please check before engaging in active testing.
Nov 09, 2018 to Nov 12, 2018
Nov 21, 2018 to Nov 27, 2018
Dec 22, 2018 to Jan 15, 2019
Researchers must sign up for test accounts using bugcrowdninja.com e-mail
If additional accounts are necessary, self-signup using the pattern:
Our primary focus is our athletes and their data. As such,
The following types of security testing is strictly prohibited and out of scope:
Note: If you encounter user data leaks, we want to know, and will absolutely reward those defects. But once reported, we expect researchers to securely delete any data obtained in the process of testing & reporting those defects.
All UnderArmour websites not listed above as targets are out of scope. These include, but are not limited to, the following categories & examples:
Rewards will be from kudos. Valued contributions may be rewarded individually by UA.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
Contact us if you want more information.