SAP Concur

  • Points per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

82 vulnerabilities rewarded

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Headers (New!)

Please include the following headers in all server requests. This will not affect our response to your activity, but allows us to track breadth of community research to ensure that all of our applications are being tested regularly.

X-Request-Purpose: Research

X-Bugcrowd-Ninja: [username]


Concur Technologies is committed to making travel and expense management easy and secure. As part of our promise to protect customer data and privacy, we strongly encourage prompt responsible disclosure of vulnerabilities you may find while using our products and welcome your reports.

When submitting, please keep the following in mind:

  • Please provide clear and reproducible steps that demonstrate that the vulnerability exists, is persistent, and can be exploited. Your written description should be easily understood in English, and attaching a proof-of-exploitability video is even more helpful.
  • Vulnerability reports which do not include careful manual validation—for example, reports based only on results from automated tools and scanners or which describe theoretical attack vectors without proof of exploitability—will be closed as Not Applicable.

This program covers all Concur-owned applications, services, and properties, including any browser UI, web service, or mobile app for each product. Please be sure to check domain records to confirm Concur ownership; avoid testing of assets not owned and controlled by Concur.

Some examples include:

  • Concur Travel, Expense, and Invoice solutions (* and *
  • TMC Solutions (see a list of included products)
  • TripIt (*
  • Hipmunk (*
  • ConcurGov
  • Ulysse

Program Rules:

Public disclosure is prohibited without the express prior written consent of Concur.

  • Carefully comply with applicable laws regarding unauthorized system access and tampering by only performing research under this responsible disclosure program. Proof of exploitability must stop short of actual exploitation.
  • Never intentionally access, modify, destroy, or make unavailable Concur user data or Concur itself in the process of discovery. This includes execution of Denial of Service exploits.
  • Immediately notify Concur Security if any user data other than your own is unintentionally accessed.
  • Never leak or publicly disclose any Concur user data, including your own.
  • Never defraud Concur users or the Concur platform itself in the process of discovery or using data discovered through your research.
  • You further agree that you will comply with end-user agreements and will never perform security research on your own company’s Concur instance. You may either sign up for trial organization or contact us for access to a sandbox organization.
  • Concur Mobile binaries should be obtained through official channels for iOS and Android platforms. While Concur does not encourage rooting/jailbreaking of mobile devices, we understand that this technique may be necessary for extracting and validating the Concur Mobile app. Accessing Concur Mobile binaries by rooting or jailbreaking your device is permitted only with test accounts in the context of security research through this program; circumventing platform protections in order to access production accounts, including those for companies you may belong to, is strictly prohibited.


On a general level, this program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.


  • Email spoofing due to missing or misconfigured DMARC will be considered a P5
This program only awards points for VRT based submissions.


In scope

Target name Type Tags
All services officially provided by Concur are in scope and eligible for the responsible disclosure program, including mobile applications. Other
Tripit Web Application: Website Testing
  • Bootstrap
  • jQuery
  • MySQL
  • nginx
  • Wordpress
  • PHP
  • Akamai CDN
  • Website Testing Website Testing
  • Bootstrap
  • jQuery
  • MySQL
  • nginx
  • Wordpress
  • PHP
  • Akamai CDN
  • Website Testing
Tripit Teams: Website Testing
  • Bootstrap
  • jQuery
  • Modernizr
  • nginx
  • Newrelic
  • Website Testing
Tripit Mobile Web Services/Public web services used by the Tripit Mobile applications: API Testing
  • API Testing
  • HTTP
Tripit Mobile Application: Android ( Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
Tripit Mobile Application: iOS ( iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI

Out of scope

Target name Type
Sites and companies not owned by, maintained by, or under the control of Concur Other Website Testing Website Testing Website Testing Website Testing Website Testing Website Testing Website Testing Website Testing Website Testing
All Hipmunk assets are out of scope as this product line has been discontinued. Other

On Credentials

  • Individual and "test drive" accounts can be self-provisioned in many of our applications, including Concur, TripIt, and Hipmunk.
  • Pro or Premium accounts will not be provided, but a free trial account can be created for testing purposes and cancelled before the end of the trial.

About Concur

Concur, an SAP company, imagines the way the world should work, offering cloud-based services that make it simple to manage travel and expenses. By connecting data, applications, and people, Concur delivers an effortless experience and total transparency into spending wherever and whenever it happens. Concur services adapt to individual employee preferences and scale to meet the needs of companies from small to large, so they can focus on what matters most.
Learn more at or the Concur blog.

Program rules

This program follows Bugcrowd’s standard disclosure terms.