FINRA is committed to maintaining secure applications and infrastructure as we
strive to protect the data we handle. We wish to encourage security
researchers to report vulnerabilities in order to help us keep our enterprise
and data safe.
Note: This program does not offer rewards.
FINRA will make a best effort to meet the following response targets for
security researchers participating in our VDP program:
Type of Response | SLA in business days
First Response | 1 day
Time to Triage | 1 day
Time to Resolution | depends on severity and complexity
We’ll try to keep you informed about our progress throughout the process.
- Please do not discuss this program or any vulnerabilities (even resolved items) outside of the program without express consent from FINRA.
- Follow HackerOne's disclosure guidelines .
- Provide FINRA at least 60 days to fix a reported issue. For any escalations please reach out via Hackerone platform and do not disclose the identified vulnerability details or expose any data publicly.
- Please provide detailed reports with reproducible steps, clear evidence (such as screenshots, video, or command lines).
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Only interact with accounts you own or with the explicit permission of the account holder.
- Do not engage in any activity that can potentially or actually cause harm to FINRA, our customers, or our staff.
- Do not engage in any activity that can potentially or actually stop or degrade FINRA services or assets.
- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.
- You can perform lightweight automation but need to avoid functions like delete, email, submit case.
- Do not store, share, compromise or destroy FINRA or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and promptly contact FINRA. This step protects any potentially vulnerable data, and you.
By responsibly submitting your findings to FINRA in accordance with these
guidelines FINRA agrees to provide you with safe harbor as provided below.
FINRA reserves the right to revoke such safe harbor and enforces all legal
rights in the event of noncompliance with these guidelines.
Any activities conducted in a manner consistent with this policy will be
considered authorized conduct and we will not initiate legal action against
you. If legal action is initiated by a third party against you in connection
with activities conducted under this policy, we will take steps to make it
known that your actions were conducted in compliance with this policy.
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack
scenario/exploitability, and (2) security impact of the bug. The following
issues are considered out of scope:
- Clickjacking on pages with no sensitive actions.
- Unauthenticated/logout/login CSRF.
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Missing best practices in SSL/TLS configuration.
- Insufficient error handling
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS
- File upload - unless an additional security impact can be demonstrated
- Known vulnerabilities: username enumeration, cookie scoped to parent domain
Thank you for helping keep FINRA and our users safe!
Out of Scope
This program have been found on Hackerone on 2020-07-21.