Introduction

Affirm looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. The following Affirm subsidiaries are also managed through this program: Returnly.

Response Times

Affirm will make a best effort to meet our response targets for hackers participating in our program. And we’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• Follow HackerOne's disclosure guidelines.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Do not perform testing on Affirm employee accounts and internal tools.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.

• Only interact with accounts you own or with explicit permission of the account holder.

Program Scope

• Web application at https://hackerone.affirm-odin.com

• Web application at https://dashboard.dev.return.ly & https://TEST-STORE-SUBDOMAIN.dev.return.ly

• iOS application at Crashlytics: com.affirm.internal.hackerone

• Android application at Google Play Store: com.affirm.central.audit

Out of Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Brute force exploits.

• Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a X-Frame-Options header set.

• Missing security cookie attributes (secure, httponly, and samesite).

• Unauthenticated/logout/login CSRF.

• Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).

• Attacks requiring MITM or physical access to a user's device.

• Previously known vulnerable libraries without a working Proof of Concept.

• Missing best practices in SSL/TLS configuration.

• Any activity that could lead to the disruption of our service (DoS).

• Absence of rate limiting.

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.

• Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.

• User enumeration of any kind (email ownership and timing attack).

• Improper error handling unless proved in production environment.

• Sender Policy Framework(SPF) or DomainKeys Identified Mail(DKIM) related findings.

• Open redirection at /redirect endpoint with redirect parameter and at /apps/affiliate/v1/generate-url endpoint with merchant_fallback_url parameter.

• (mobile) Lack of certificate pinning. The test apps are specifically built for testing environment, therefore there's no certificate pinning.

• Missing client side check on virtual card loan amount (must be greater than $100 and less than $10000).

• (mobile) Local access to user data when operating a rooted mobile device.

• (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.

Affirm Testing Environment

iOS

The Affirm testing iOS app built for HackerOne is distributed through Crashlytics.

1. Download the testing iOS application by going to https://appdistribution.firebase.dev/i/07fb2924d6938db2.

2. Use your iOS device to visit that link and initiate the download process. Please note, the testing app is distributed though Firebase, and you have to install Firebase and Affirm profiles on your testing iOS device.

Android

The Affirm Android testing app built for HackerOne is distributed through Google Play Store.

1. Download the testing Android application by joining the affirmhackerone(https://groups.google.com/forum/#!forum/affirmhackerone) Google Group.

2. This Group is open to the public and once you join you can go to https://play.google.com/apps/testing/com.affirm.central.audit to initiate the downloading process. (The app is only available in the US region in Google Play. If the account you are using is not in the US region, we recommend you to register a new account for this testing, since Google only allows switching the region of the account once per year.)

To register an Affirm test user

• Go to https://hackerone.affirm-odin.com/ or the mobile application, under “Sign Up”, enter the following information

• First Name (any value, letter only )

• Last Name (any value, letter only)

• Email address (any value, email format required)

• Phone number (any value, but please REMEMBER it for login)

• Date of birth (older than 18 please)

• Last 4-digits of SSN (any value between 9500 and 9850, and the last 3 digits of the number sets the FICO credit score of the testing account)

• Click “Create Account” to finish

To leverage an Affirm test user

• Hit "login" in the web or mobile application.

• Enter the phone number you registered (the test site will NOT send SMS, instead you use a hardcoded pin code shown below)

• In the next step, use “1234” as the verification code, click “Verify”.

To use the testing checkout sites:

You can go to the following urls to simulate a checkout using the Affirm app.

• Direct point-of-sale: https://direct-hackerone.affirm-odin.com/

• Virtual card: https://vcn-hackerone.affirm-odin.com/

To use testing payments

If you don't have a valid testing payment, you can use the following test payments.

Testing credit card numbers

| Issuer | Number |

|------------------|---------------------|

| Visa | 4242 4242 4242 4242 |

| Master Card | 5555 5555 5555 4444 |

| American Express | 3782 822463 10005 |

Testing ACH

| Routing Number | Account Number |

|------------------|---------------------|

| 112200439 | 12345678 |

Note that https://direct-hackerone.affirm-odin.com/ and https://vcn-hackerone.affirm-odin.com/ are example applications that demonstrate how our API works in the context of an integration. They are intentionally less secure and do not have any security attached to them. They are out of scope for bounties.

Scheduled maintenance window

Twice every week on Mondays and Thursdays the above mentioned test sites will go through a maintenance period lasting ~30mins starting from 16:00 PM UTC (NOTE: User data in the app prior to the maintenance period won't persist once this completes)

Returnly Testing Environment

1. Create a Shopify development store:

https://help.shopify.com/en/partners/dashboard/managing-stores/development-stores

1. Once you have the store, install the Returnly test application by going to this URL:

http://dashboard.dev.return.ly/auth/shopify?shop=TEST-STORE-SUBDOMAIN.myshopify.com. (Replace TEST-STORE-SUBDOMAIN with your Shopify store subdomain.)

1. Complete the merchant onboarding flow, and a pick a subdomain for your Return Center

2. Create and mark test orders as fulfilled

3. Initiate a return for that product by going to: https://TEST-STORE-SUBDOMAIN.dev.return.ly

Thank you for helping keep Affirm and our users safe!