Banner object (1)

Hack and Take the Cash !

655 bounties in database
06/09/2018

Reward

100 $ 

USAA

USAA appreciates and supports engagement with security community when potential security vulnerabilities in our digital assets are reported to us in accordance with Responsible Disclosure policy.


Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reward Range

Last updated 30 August 2018 22:56:00 UTC

Technical severity | Reward range
---|---
p1 Critical | $1,500 - $3,000
p2 Severe | $900 - $1,800
p3 Moderate | $250 - $400
p4 Low | $100 - $100

P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name | Type
---|---
mobile.usaa.com | Website
USAA Mobile Application for Android | Android
USAA Mobile Application for iOS | iOS
partners.usaa.com | Other
www.usaa.com | Website

Any domain/property of USAA not listed in the targets section is out of scope. This includes any/all subdomains not specifically listed.


Access:

iOS : Here
Android : Here

Credentials:

Please create your own accounts on our main site for testing. Identity is not immediately validated, but response values are checked to ensure they are in a valid range.

Rules:

  • Please follow Bugcrowd Standard Disclosure Terms
  • Do not make any attempts to phish members or employees.
  • Submit detailed reproduction steps. Reports based only on automated tool/scanner results or which describe theoretical attack vectors without proof of exploitability will not be accepted.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
  • USAA employees, USAA contractors, or USAA suppliers or any persons related to or otherwise affiliated with USAA employees or contractors or suppliers may not submit to this program.
  • Note : Excessive scan traffic may result in automated blocking

Focus Areas:

  • Authentication mechanisms
  • Privilege escalation (horizontal or vertical)
  • SQL or command injection
  • Cross-site scripting
  • Remote Code Execution
  • Cross-Site Request Forgery
  • Information Disclosure
  • Security Decisions via Untrusted Inputs

Out-of-Scope:

  • Out-of-Scope Testing

    • Vulnerabilities in USAA partner sites, or 3rd party sites
    • Spam or social engineering techniques.
    • Physical attacks against USAA offices, data centers, and Financial Centers.
    • Out-of-Scope Vulnerabilities/Best Practices

    • Denial-of-Service Vulnerabilities

    • Brute Force Vulnerabilities
    • Unvalidated Redirects
    • Anything requiring old browsers/old plugins/end-of-life software browsers
    • Vulnerabilities which require physical access to a user's device
    • Non-sensitive information available via our Content Delivery Network or on USAA Member Community sites.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

Thanks
Gift
Hall of Fame
Reward


List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2018