• Points per vulnerability
  • Managed by Bugcrowd

Program stats

49 vulnerabilities rewarded

Validation within 5 days
75% of submissions are accepted or rejected within 5 days

Latest hall of famers

Recently joined this program

203 total

We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Abacus. Every day new security issues and attack vectors are created. Abacus strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.

Please do not use automated scanners

Do not use scripts to create multiple accounts

If this behavior continues this program will be suspended


In scope

Out of Scope:

  • blog.abacus.com
  • support.abacus.com
  • Olark (chat)

Please use the following conventions when signing up for an account:
User name = name+bugcrowd@domain.com example: jane+bugcrowd@gmail.com
Business name = Bugcrowd Bugcrowd Handle example: Bugcrowd GoodGuy_01

Important: Read this or you may be charged $ :

Do not connect Abacus to your bank account. This is not required to conduct tests

Please do not use automated scanners

Please read and follow the rules in the Standard Disclosure Terms.

The following finding types are specifically excluded from the bounty:

  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • Self-XSS and issues exploitable only through Self-XSS.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.