Note: This is a Responsible Disclosure Program. If you need Wells Fargo customer support, please visit Customer Service. If you are reporting fraud or phishing, please visit our Fraud Center.

Responsible Disclosure Program

Wells Fargo is proactively advancing our security to identify new threats and help ensure the safety of customer accounts and information.

Because threats to our corporate environment and customer assets are ever present, we also value the important role the security community plays in helping us mitigate information security risk.

If you have information about possible security vulnerabilities in any Wells Fargo product or service, please submit a report using these guidelines.

Guidelines

• Your report must meet all of HackerOne’s Vulnerability Disclosure Guidelines.

• When reporting vulnerabilities, consider (1) the attack scenario or exploitability, and (2) the security impact of the bug.

• Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.

• Provide details with reproducible steps in your report.

• Comply with applicable federal, state, local, and international laws in connection with your participation in this vulnerability disclosure program.

• We may modify the terms of this policy or terminate the policy at any time.

By Submitting a Report:

• You represent you are not located in or a resident of a country under United States sanctions, nor a person on, or working on behalf of a party identified on, any restricted party list maintained by the United States government.

• You consent to your information being stored and transferred to the United States and acknowledge you have read and accepted the terms of this policy and HackerOne’s Vulnerability Disclosure Guidelines.

• You agree not to disclose vulnerability details to anyone other than Wells Fargo without Wells Fargo’s written permission.

• You agree that any Wells Fargo information that you may encounter, view, acquire, or access, is owned by Wells Fargo or its customers, clients, or third party providers. You have no rights, title, or ownership in any such information.

• You agree that your research will be conducted for testing and research purposes only, and that you will not attempt to gain access to customer or user accounts or confidential information and will only interact with accounts you own.

• You understand that nothing in this agreement, including submission of a report, shall be deemed to constitute the grant to you of any license or other right to or in respect of any Wells Fargo or third-party product, service, patent, trademark, trade secret, or other intellectual property.

• You hereby grant Wells Fargo a perpetual, worldwide, exclusive, fully-paid-up license to sublicense, copy, distribute, display, perform, transmit, and publish the report.

Scope

Domains where Wells Fargo & Company is listed as the Registrant Organization, Admin Organization, or Tech Organization are in scope. Domains registered to Wells Fargo but hosted by a third party are out of scope. Not sure what’s in scope? Send an email to support[at]hackerone.com.

Vulnerabilities typically in scope include items from the OWASP Top 10 and vulnerabilities with a confirmed security impact.

We reserve the right to determine whether to accept a report. For example, we may not accept:

• A report on a vulnerability with little security impact or exploitability

• A vulnerability outside our control

• A vulnerability discoverable through automated scans that have not been verified manually

• A report of a vulnerability resulting from a violation of the program guidelines

Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program. These include:

• Clickjacking on pages with no sensitive actions

• Unauthenticated/logout/login CSRF

• Insecure Cookie Settings on non-sensitive cookies

• Bugs requiring inordinate amounts of user interaction or prior knowledge of user secrets such as session tokens or CSRF values

• Information regarding software versions or web server versions/banners where there is no evidence these versions are impacted by a security flaw

• Bugs affecting browsers or plugins that are not listed on our supported browsers page

• Attacks requiring MITM or physical access to a user's device

• Previously known vulnerable libraries without a working Proof of Concept

• Comma Separated Values (CSV) injection without demonstrating a vulnerability

• Missing best practices in SSL/TLS configuration

• Common Automated Tooling including Acunetix, Nessus, and Qualys should be avoided; however, use of Burp Suite and other custom tools are allowed

• Any activity that could lead to the disruption of our service (DoS)

• Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS

• Overly Permissive Google Maps API keys

• Avoid privacy violations, destruction of data, and interruption or degradation of our services

• Social engineering (e.g. phishing, vishing, smishing) is prohibited

*Missing SPF records.

• Do not test the physical security of Wells Fargo property

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.