Credit Karma is a personal finance technology company with more than 85 million members in the United States and Canada, including almost half of all millennials. The company offers a suite of products for members to monitor and improve credit health and provides identity monitoring and auto insurance estimates. Since 2007, we have been knocking down barriers that block the path to financial health, helping our members make informed choices and feel confident about their opportunities.

Response Targets

Credit Karma will make a best effort to meet the following response targets for hackers participating in our program:

• Time to first response (from report submit) - 2 business days

• Time to triage (from report submit) - 3 business days

• Time to bounty (from triage) - 5 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• No reports will be disclosed under the Credit Karma public program. Please do not discuss any reports (even resolved ones) with anyone.

• Follow HackerOne's disclosure guidelines.

Researcher Accounts

• For tax.creditkarma.com, the phone number used to verify your test account is (111) 111-1111 and OTP is all 1's (111111)

• Please use the claim credentials feature in order to receive your test account.

• You will be provided with two sets of credentials, we cannot provide more at this time.

• It is important that you do not change the email address associated with your test account.

• Test accounts contain the full feature set which is available to consumers on our site.

• Please add the following User Agent during the course of your testing: UA-BugBounty

Program Rules

• Please add the following User Agent during the course of your testing: UA-BugBounty

• Do not perform testing that involves Recurring and/or scheduled scans on our platform.

• Do not perform testing that involves enumerating and/or Brute Forcing Login and/or Registration.

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

• Do not perform testing on any of our partners (banks, credit card companies, loan companies, etc). Any such activity may result in removal from our program.

Our Focus

Focus on Auth, Session, Horizontal privilege escalation and Critically Sensitive data exposure. We consider these type of findings as Critical findings

Rewards

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Credit Karma.

Out of scope vulnerabilities

The following issues are considered out of scope:

• Login and Registration Enumeration

• Miscalculation including miscalculated Tax Returns, etc.

• IRS or other external entities, including our partners.

• Any vulnerabilities found on subdomains or properties not explicitly listed in scope.

• DoS or DDoS attacks.

Web App OOS

• Enumerating and/or Brute Forcing Login and/or Registration.

• Clickjacking on pages with no sensitive actions.

• Unauthenticated/logout/login CSRF.

• Attacks requiring MITM or physical access to a user's device.

• Previously known vulnerable libraries without a working Proof of Concept.

• Comma Separated Values (CSV) injection without demonstrating a vulnerability.

• Missing best practices in SSL/TLS configuration.

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.

• Issues that are a result of pivoting - the only proof of initial foothold is necessary.

• Support tickets (zendesk.creditkarma.com and help.creditkarma.com).

• Spam (including issues related to SPF/DKIM/DMARC).

• HTTP 404 codes/pages or other HTTP non-200 codes/pages.

• Fingerprinting/banner disclosure on common/public services.

• Disclosure of known public files or directories, (e.g. robots.txt).

• CSRF in forms that are available to anonymous users (e.g. the contact form).

• Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.

• Reports About Weak Password Policy.

• Lack of Secure/HTTPOnly flags on non-sensitive Cookies.

• Lack of Security Speedbump when leaving the site.

• Lack of Captcha/reCaptcha.

• Lack of 2-factor authentication.

• OPTIONS HTTP method enabled.

• HTTPS Mixed Content Scripts.

• SSL/TLS scan reports (this means output from sites such as SSL Labs).

• Open ports without an accompanying proof-of-concept demonstrating vulnerability.

• Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console).

• XMLRPC related brute-force/enumeration/DDoS Attacks

Mobile App OOS

• Enumerating and/or Brute Forcing Login and/or Registration.

• Attacks requiring physical access to a user's device.

• Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries.

• Path disclosure in the binary.

• Lack of jailbreak detection.

• Lack of binary protection (anti-debugging) controls.

• Lack of root detection.

• Lack of obfuscation

• Lack of binary protection

• OAuth "app secret" hard-coded/recoverable in apk.

• Crashes due to malformed URL Schemes.

• Snapshot/Pasteboard leakage.

• Runtime hacking exploits (exploits only possible in a jailbroken environment).

• User data stored unencrypted on the file system on rooted devices.

• Reports from static analysis of the binary without an accompanying PoC that exploits some business logic or security control.

• Bypass certificate pinning on rooted devices.

• Sensitive information retained as plaintext in the device’s memory.

• Shared links leaked through the system clipboard.

• Any URIs leaked because a malicious app has permission to view URIs opened.

• Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceiver (exploiting these for sensitive data leakage is commonly in scope).

• Vulnerabilities found in a Credit Karma application that was not acquired from Credit Karma’s official Play store account.

• OAuth "app secret" hard-coded/recoverable in apk.

• Sensitive data retrieved as plaintext from disk on rooted devices.

• Reports from static analysis of the binary without an accompanying PoC that exploits some business logic or security control.

Note, we will accept reports on the following issues, but they are not eligible for bounty and will likely not be remediated in the short-term:

• Open Redirect GET-Based

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Credit Karma and our users safe!