Banner object (1)

Hack and Take the Cash !

822 bounties in database
  Back Link to program      
25/04/2019
Capital One logo
Thanks
Gift
Hall of Fame
Reward

Capital One

Responsible Disclosure

Capital One is committed to maintaining the security of our systems and our customers’ information. We appreciate and encourage security researchers to contact us to report potential vulnerabilities identified in any product, system, or asset belonging to Capital One.

If you believe you have identified a potential security vulnerability, please submit it pursuant to our Responsible Disclosure Program. Thank you in advance for your submission, we appreciate researchers assisting us in our security efforts. Please note, Capital One does not operate a public bug bounty program and we make no offer of reward or compensation in exchange for submitting potential issues.

Responsible Disclosure Program Guidelines

Researchers shall disclose potential vulnerabilities in accordance with the following guidelines:

  • Do not engage in any activity that can potentially or actually cause harm to Capital One, our customers, or our employees.
  • Do not engage in any activity that can potentially or actually stop or degrade Capital One services or assets.
  • Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.
  • No automated scanning or testing.
  • Do not store, share, compromise or destroy Capital One or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Capital One. This step protects any potentially vulnerable data, and you.
  • Do not initiate a fraudulent financial transaction.
  • Provide Capital One reasonable time to fix any reported issue, before such information is shared with a third party or disclosed publicly.

By responsibly submitting your findings to Capital One in accordance with these guidelines Capital One agrees not to pursue legal action against you. Capital One reserves all legal rights in the event of noncompliance with these guidelines.

Once a report is submitted, Capital One commits to provide prompt acknowledgement of receipt of all reports (within two business days of submission) and will keep you reasonably informed of the status of any validated vulnerability that you report through this program.

Submission Format

When reporting a potential vulnerability, please include a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during discovery (screen captures welcome).

Scope

We have listed the assets in scope for this program, however, if you have found a potential vulnerability (excluding the out of scope vulnerabilities listed below) on any product, system or asset you believe belongs to Capital One, please submit it through this program as we would like to hear about it.

Out of Scope Vulnerabilities

Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program.
Out-of-scope vulnerabilities include:

  • Physical Testing
  • Social Engineering. For example, attempts to steal cookies, fake login pages to collect credentials
  • Phishing
  • Denial of service attacks
  • Resource Exhaustion Attacks
  • Clickjacking on pages with no sensitive actions

Please also note that Capital One employs third party vendors and some subdomains may be managed by third parties. Security issues found in third- party assets which are not managed by Capital One are considered out of scope and should be reported to the affected party directly. When issues reported to the Capital One program originate in a different vendor's service, Capital One reserves the right to forward submissions to the affected party without further discussion. Please be sure to check our publicly published IP ranges and conduct all necessary due diligence to determine ownership of an asset prior to testing.

In Scope

Scope Type Scope Name
ios_application

1450441660

ios_application

907613256

ios_application

1291519134

ios_application

1109537081

ios_application

414607046

ios_application

80821547

ios_application

1008234539

ios_application

407558537

ios_application

481679012

ios_application

1380744689

web_application

*.wikibuy.com

web_application

*.capitalone360.com

web_application

*.paribus.co

web_application

*.capitalone.com

web_application

*.capitalone.ca

web_application

*.unitedincome.com

web_application

*.bluetarp.com

web_application

*.capitalone.co.uk

web_application

*.capitalonebank.com

web_application

com.konylabs.capitalone

web_application

com.capitalone.tz

web_application

com.capitalone.atwork

web_application

com.yinzcam.facilities.verizon

web_application

ca.capitalone.enterprisemobilebanking

web_application

com.capitalone.intellix.mobile.prod

web_application

com.capitalone.credittracker

web_application

*.luma.co.uk

web_application

*.capitalonecareers.co.uk

web_application

com.ukcapitalone.creditWise

web_application

com.ukcapitalone.capitalone

web_application

*.criticalstack.com

web_application

*.intelstack.com

web_application

*.capitalonecards.com

web_application

*.theunioncard.com

web_application

*.teamstercardnow.com


This programe feature scope type like web_application, ios_application.

FireBounty © 2015-2020

Legal notices