Program stats

70 vulnerabilities rewarded

Validation within 2 days
75% of submissions are accepted or rejected within 2 days

$162.50 average payout (last 3 months)

Latest hall of famers

Recently joined this program

267 total


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Invest spare change automatically from everyday purchases into a diversified portfolio. We are committed to building the best possible product and we know that starts with a world class team of engineers, designers, mathematicians, financial experts, and marketers.

We take the security of our systems seriously, and we value the security researcher community. The disclosure of security vulnerabilities by security researchers helps us ensure the security and privacy of our users.

Note: While we have provided development sites ( a bug must be reproducible on the production sites as well ( Unfortunately, there may be differences in the way the dev sites interact e.g. with the mobile app. We understand that this can cause frustration but we don't really have any other option than requiring researchers use real bank account information.


We require that all researchers:

  • Make a every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
  • Perform research only within the scope set out below;
  • Use the identified communication channels to report vulnerability information to us; and
  • Keep information about any vulnerabilities you’ve discovered confidential between yourself and Acorns LLC.

If you follow these guidelines when reporting an issue to us we commit to:

  • Work with you to understand and resolve the issue quickly (confirming the report within 72 hours of submission);
  • Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
  • We will pay a bounty for unique bugs that meet the guidelines, just be the first to report using our Bugcrowd portal.

Thank you for participating, it is your work that will help to keep us secure.


Out of scope

If you prefer not to use your own account, you may use our test server.
Note: is not directly accessible and used by the apps.

Create an account at:


When setting up or account please use the following routing / account information for linking via Online Banking Credentials:

  • Chase Bank
    • user: plaid_test
    • pass: plaid_good
  • CC Bank
    • user: direct
    • pass: any-value
  • Other institution, for linking via Routing and Account Number:
    • Routing: 122000496
    • Account: 000200100
  • Round-ups Account
  • Chase Bank
    • user: plaid_test
    • pass: plaid_good

MFA: Valid MFA responses are listed below; all other responses will return as invalid. For institutions requiring multiple-question MFA, respond with again for each initial question and tomato for the final question.

questions again (for multiple questions), tomato (for final response)
code-based 1234
selections tomato (when available), ketchup (when available)

No real funds will be moved if actual account data is used during this registration process. Users are welcome to use the test accounts or their own accounts with the understanding that no real transactions or charges will be initiated.

When entering additional information

  • For telephone
    • Use area code 415
    • the rest of the number can be fake
  • For address
    • Use zip code 94103
    • the rest of the address can be fake
  • Social Security can be fake

Out of scope

Any services hosted by 3rd party providers and services are excluded from scope. These services include:


Things we do not want to see:

  • Personally identifiable information of users (PII) that you may have found during your research
  • Vulnerabilities reported via social media and/or support forms and forums are not eligible.
  • Vulnerabilities in third-party applications used by are not eligible.

The following finding types are specifically excluded from the bounty:

  • Server version disclosure
  • Findings from physical testing such as office access (e.g. open doors, tailgating)
  • Findings derived primarily from social engineering (e.g. phishing, vishing)
  • Findings from applications or systems not listed in the ‘Targets’ section
  • Functional, UI and UX bugs and spelling mistakes
  • Network level Denial of Service (DoS/DDoS) vulnerabilities
  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure and HTTPOnly cookie flags on non-sensitive cookies.
  • Lack of Security Speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled
  • HTTPS Mixed Content Scripts
  • Username / email enumeration
    • via Login Page error message
    • via Forgot Password error message
  • SSL Issues, e.g.
    • SSL Attacks such as BEAST, BREACH, Renegotiation attack
    • SSL Forward secrecy not enabled
    • SSL weak / insecure cipher suites
    • Test page(s) exposed (This is a test environment. Pages are known to be available.)
    • Spam vectors
  • Any issues related to rate-limiting requests are out of scope


This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.