FINRA is committed to maintaining secure applications and infrastructure as we strive to protect the data we handle. We wish to encourage security researchers to report vulnerabilities in order to help us keep our enterprise and data safe.

Note: This program does not offer rewards.

Response Targets

FINRA will make a best effort to meet the following response targets for security researchers participating in our VDP program:

| Type of Response | SLA in business days |

| ------------- | ------------- |

| First Response | 1 day |

| Time to Triage | 1 day |

| Time to Resolution | depends on severity and complexity |

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• Please do not discuss this program or any vulnerabilities (even resolved items) outside of the program without express consent from FINRA.

• Follow HackerOne's disclosure guidelines.

• Provide FINRA at least 60 days to fix a reported issue. For any escalations please reach out via Hackerone platform and do not disclose the identified vulnerability details or expose any data publicly.

Program Rules

• Please provide detailed reports with reproducible steps, clear evidence (such as screenshots, video, or command lines).

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Only interact with accounts you own or with the explicit permission of the account holder.

• Do not engage in any activity that can potentially or actually cause harm to FINRA, our customers, or our staff.

• Do not engage in any activity that can potentially or actually stop or degrade FINRA services or assets.

• Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.

• You can perform lightweight automation but need to avoid functions like delete, email, submit case.

• Do not store, share, compromise or destroy FINRA or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and promptly contact FINRA. This step protects any potentially vulnerable data, and you.

By responsibly submitting your findings to FINRA in accordance with these guidelines FINRA agrees to provide you with safe harbor as provided below. FINRA reserves the right to revoke such safe harbor and enforces all legal rights in the event of noncompliance with these guidelines.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions.

• Unauthenticated/logout/login CSRF.

• Attacks requiring MITM or physical access to a user's device.

• Previously known vulnerable libraries without a working Proof of Concept.

• Missing best practices in SSL/TLS configuration.

• Insufficient error handling

• Any activity that could lead to the disruption of our service (DoS).

• Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS

• File upload - unless an additional security impact can be demonstrated

• Known vulnerabilities: username enumeration, cookie scoped to parent domain

Thank you for helping keep FINRA and our users safe!