• $50 – $200 per vulnerability
  • Partial safe harbor

Program stats

53 vulnerabilities rewarded

Validation within about 1 month
75% of submissions are accepted or rejected within about 1 month

$50 average payout (last 3 months)

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public. creates Fair, Fashionable and Fun online prepaid card solutions. This program is managed by the team.


In scope

Target name Type Other
Card Android Mobile Application Other
Card iOS Mobile Application Other

Please read and understand the rules in the Standard Disclosure Terms at

The following are specifically excluded from scope and should not be tested:

  • 3rd party tools used by
  • 3rd party service providers to
  • All shared hosting environment (e.g. networking equipment, firewalls and other equipment) components that are not directly used to host the target URL
  • Physical environment pen-testing such as obtaining access to offices, server rooms, cars, homes, and physical objects (such as USB keys, phones, laptops)
  • Routine Denial of Service or DDOS attacks
  • Server and application banner versions that appear out of date
  • Usernames exposed without requiring dictionary-style guessing
  • Attacks that require man-in-the-middle unless you also have found a way that we are not properly preventing a man-in-the-middle attack
  • Attacks that require the victim to use an unsupported browser (e.g. IE6, IE7, etc.)
  • CSRF vulnerabilities in forms that do not change state server side (e.g. forms that perform searches)
  • Existence of robots.txt with non-sensitive content (if we accidentally put sensitive content there, let us know, but don't just report that we have robots.txt.
  • Content spoofing via 404 responses on

Note: Our server may indicate a banner (e.g. Apache version X.Y.Z) that seems out of date, but which is not in fact out of date due to the way we manage patches to that software.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.