46 vulnerabilities rewarded
about 2 months average response time
$63.51 average payout (last 12 weeks)
Latest hall of famers
Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.
CARD.com creates Fair, Fashionable and Fun online prepaid card solutions. This program is managed by the Card.com team.
Please read and understand the rules in the Standard Disclosure Terms at https://bugcrowd.com/resources/standard-disclosure-terms
The following are specifically excluded from scope and should not be tested:
- 3rd party tools used by CARD.com
- 3rd party service providers to CARD.com
- All shared hosting environment (e.g. networking equipment, firewalls and other equipment) components that are not directly used to host the target URL
- Physical environment pen-testing such as obtaining access to offices, server rooms, cars, homes, and physical objects (such as USB keys, phones, laptops)
- Routine Denial of Service or DDOS attacks
- Server and application banner versions that appear out of date
- Usernames exposed without requiring dictionary-style guessing
- Attacks that require man-in-the-middle unless you also have found a way that we are not properly preventing a man-in-the-middle attack
- Attacks that require the victim to use an unsupported browser (e.g. IE6, IE7, etc.)
- CSRF vulnerabilities in forms that do not change state server side (e.g. forms that perform searches)
- Content spoofing via 404 responses on CARD.com
Note: Our server may indicate a banner (e.g. Apache version X.Y.Z) that seems out of date, but which is not in fact out of date due to the way we manage patches to that software.