USAA appreciates and supports engagement with security community when potential security vulnerabilities in our digital assets are reported to us in accordance with Responsible Disclosure policy.
For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Last updated 2 October 2018 20:08:36 UTC
Technical severity | Reward range
p1 Critical | $1,500 - $3,000
p2 Severe | $900 - $1,800
p3 Moderate | $250 - $400
p4 Low | $100 - $100
P5 submissions do not receive any rewards for this program.
Target name | Type
mobile.usaa.com | Website
USAA Mobile Application for Android | Android
USAA Mobile Application for iOS | iOS
partners.usaa.com | Other
www.usaa.com | Website
Any domain/property of USAA not listed in the targets section is out of scope. This includes any/all subdomains not specifically listed.
Please create your own accounts on our main site for testing. Identity is not immediately validated, but response values are checked to ensure they are in a valid range.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
Contact us if you want more information.