Go to https://login.enter.financial/#/app/register __to register!
Go to https://login.sandbox.enter.financial/#/app/register __to register on the sandbox!

Enter recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.

We suggest using the sandbox to test functionality as it uses fake credit cards and fully approved user accounts.

Responsible disclosure includes:

• Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
• Making a good faith effort to not leak or destroy any user data.
• Not defrauding Enter users or Enter itself in the process of discovery.

In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.

Eligibility
Enter reserves the right to decide if the minimum severity threshold is met and whether it was previously reported.

Please report anything which has the potential for financial loss or data breach is of sufficient severity on:

• https://wallet.enter.financial __
• https://wallet.sandbox.enter.financial __
• https://api.enter.financial __(Documentation at https://docs.enter.financial/ __)
• https://api.sandbox.enter.financial __(Documentation at https://docs.enter.financial/ __)
• https://checkout.enter.financial/ __
• https://checkout.sandbox.enter.financial/ __
• https://login.enter.financial __
• https://login.sandbox.enter.financial __

In general, the following would not meet the threshold for severity:

• Absolutely no automated test results should be submitted.
• Vulnerabilities on sites hosted by third parties (blog.romit.io, docs.enter.financial, analytics, etc) unless they lead to a vulnerability on the main website
• The marketing webpage (http://enter.financial/ __)
• Denial of service
• SPF records
• Vulnerabilities in third party applications which make use of the Enter API
• Issues, particularly man-in-the-middle attacks, surrounding one time use csrf tokens and regeneration of session ids.
• Password complexity
• Attacks requiring physical access to the victim's machine
• Clickjacking attacks likely won't meet the threshold for severity since we require framing of certain sections of our site

Rewards
The minimum payout is $250 for reporting a previously unknown security vulnerability of sufficient severity with possibility for direct exploitation. There is no maximum reward, and we may award higher amounts based on severity or creativity of the vulnerability found. We may reward $25 - $50 in cases where our security is adjusted for better defense in depth, but no direct exploitation is possible.

Thank you for helping keep our community safe!