Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
USAA logo
Hall of Fame


100 $ 


USAA appreciates and supports engagement with security community when potential security vulnerabilities in our digital assets are reported to us in accordance with Responsible Disclosure policy.


For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reward Range

Last updated 2 Oct 2018 20:08:36 UTC

Technical severity | Reward range
p1 Critical | $1,500 - $3,000
p2 Severe | $900 - $1,800
p3 Moderate | $250 - $400
p4 Low | $100 - $100

P5 submissions do not receive any rewards for this program.


In scope

Target name | Type
---|--- | Website
USAA Mobile Application for Android | Android
USAA Mobile Application for iOS | iOS | Other | Website

Any domain/property of USAA not listed in the targets section is out of scope. This includes any/all subdomains not specifically listed.


iOS : Here
Android : Here


Please create your own accounts on our main site for testing. Identity is not immediately validated, but response values are checked to ensure they are in a valid range.


  • Please follow Bugcrowd Standard Disclosure Terms
  • Do not make any attempts to phish members or employees.
  • Submit detailed reproduction steps. Reports based only on automated tool/scanner results or which describe theoretical attack vectors without proof of exploitability will not be accepted.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
  • USAA employees, USAA contractors, or USAA suppliers or any persons related to or otherwise affiliated with USAA employees or contractors or suppliers may not submit to this program.
  • Note : Excessive scan traffic may result in automated blocking

Focus Areas:

  • Authentication mechanisms
  • Privilege escalation (horizontal or vertical)
  • SQL or command injection
  • Cross-site scripting
  • Remote Code Execution
  • Cross-Site Request Forgery
  • Information Disclosure
  • Security Decisions via Untrusted Inputs


  • Out-of-Scope Testing

    • Vulnerabilities in USAA partner sites, or 3rd party sites
    • Spam or social engineering techniques.
    • Physical attacks against USAA offices, data centers, and Financial Centers.
    • Out-of-Scope Vulnerabilities/Best Practices

    • Denial-of-Service Vulnerabilities

    • Brute Force Vulnerabilities
    • Unvalidated Redirects
    • Anything requiring old browsers/old plugins/end-of-life software browsers
    • Vulnerabilities which require physical access to a user's device
    • Non-sensitive information available via our Content Delivery Network or on USAA Member Community sites.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name

USAA Mobile Application for Android


USAA Mobile Application for iOS




This program crawled on the 2018-09-06 is sorted as bounty.

FireBounty © 2015-2019

Legal notices