CARD.com creates Fair, Fashionable and Fun online prepaid card solutions. This program is managed by the Card.com team.

Targets

In scope

Please read and understand the rules in the Standard Disclosure Terms at https://bugcrowd.com/resources/standard-disclosure-terms

The following are specifically excluded from scope and should not be tested:

  • 3rd party tools used by CARD.com
  • 3rd party service providers to CARD.com
  • All shared hosting environment (e.g. networking equipment, firewalls and other equipment) components that are not directly used to host the target URL
  • Physical environment pen-testing such as obtaining access to offices, server rooms, cars, homes, and physical objects (such as USB keys, phones, laptops)
  • Routine Denial of Service or DDOS attacks
  • Server and application banner versions that appear out of date
  • Usernames exposed without requiring dictionary-style guessing
  • Attacks that require man-in-the-middle unless you also have found a way that we are not properly preventing a man-in-the-middle attack
  • Attacks that require the victim to use an unsupported browser (e.g. IE6, IE7, etc.)
  • CSRF vulnerabilities in forms that do not change state server side (e.g. forms that perform searches)
  • Content spoofing via 404 responses on CARD.com

Note: Our server may indicate a banner (e.g. Apache version X.Y.Z) that seems out of date, but which is not in fact out of date due to the way we manage patches to that software.

Rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for Informational (P5) findings. Learn more about Bugcrowd's VRT.