SAP Concur

  • Partial safe harbor

We no longer offer point rewards for submissions on this program. Please refer to our blog post: How Bugcrowd sees VDPs and points for more details.

Program stats

  • Vulnerabilities accepted 97
  • Validation within 9 days 75% of submissions are accepted or rejected within 9 days

Latest hall of famers

Recently joined this program

643 total


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Headers (New!)

Please include the following headers in all server requests. This will not affect our response to your activity, but allows us to track breadth of community research to ensure that all of our applications are being tested regularly.

X-Request-Purpose: Research

X-Bugcrowd-Ninja: [username]


Concur Technologies is committed to making travel and expense management easy and secure. As part of our promise to protect customer data and privacy, we strongly encourage prompt responsible disclosure of vulnerabilities you may find while using our products and welcome your reports.

When submitting, please keep the following in mind:

  • Please provide clear and reproducible steps that demonstrate that the vulnerability exists, is persistent, and can be exploited. Your written description should be easily understood in English, and attaching a proof-of-exploitability video is even more helpful.
  • Vulnerability reports which do not include careful manual validation—for example, reports based only on results from automated tools and scanners or which describe theoretical attack vectors without proof of exploitability—will be closed as Not Applicable.

This program covers all Concur-owned applications, services, and properties, including any browser UI, web service, or mobile app for each product. Please be sure to check domain records to confirm Concur ownership; avoid testing of assets not owned and controlled by Concur.

Some examples include:

  • Concur Travel, Expense, and Invoice solutions (* and *
  • TMC Solutions (see a list of included products)
  • TripIt (*
  • Hipmunk (*
  • ConcurGov
  • Ulysse

Program Rules:

Public disclosure is prohibited without the express prior written consent of Concur.

  • Carefully comply with applicable laws regarding unauthorized system access and tampering by only performing research under this responsible disclosure program. Proof of exploitability must stop short of actual exploitation.
  • Never intentionally access, modify, destroy, or make unavailable Concur user data or Concur itself in the process of discovery. This includes execution of Denial of Service exploits.
  • Immediately notify Concur Security if any user data other than your own is unintentionally accessed.
  • Never leak or publicly disclose any Concur user data, including your own.
  • Never defraud Concur users or the Concur platform itself in the process of discovery or using data discovered through your research.
  • You further agree that you will comply with end-user agreements and will never perform security research on your own company’s Concur instance. You may either sign up for trial organization or contact us for access to a sandbox organization.
  • Concur Mobile binaries should be obtained through official channels for iOS and Android platforms. While Concur does not encourage rooting/jailbreaking of mobile devices, we understand that this technique may be necessary for extracting and validating the Concur Mobile app. Accessing Concur Mobile binaries by rooting or jailbreaking your device is permitted only with test accounts in the context of security research through this program; circumventing platform protections in order to access production accounts, including those for companies you may belong to, is strictly prohibited.


On a general level, this program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.


  • Email spoofing due to missing or misconfigured DMARC will be considered a P5


Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email We will address your issue as soon as possible.