Credit Karma

  • $100 – $5,000 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

66 vulnerabilities rewarded

Validation within 2 days
75% of submissions are accepted or rejected within 2 days

$1,425 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Credit Karma is a personal finance technology company with more than 85 million members in the United States and Canada, including almost half of all millennials. The company offers a suite of products for members to monitor and improve credit health and provides identity monitoring and auto insurance estimates. Since 2007, we have been knocking down barriers that block the path to financial health, helping our members make informed choices and feel confident about their opportunities.


Ratings/Rewards

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Please note that the following classes will be marked as (Won't Fix):

  • P5 - Open Redirect GET-Based

Program Rules

  • Please add the following User Agent during the course of your testing: UA-BugBounty
  • Do not perform testing that involves Recurring and/or scheduled scans on our platform.
  • Do not perform testing that involves enumerating and/or Brute Forcing Login and/or Registration.

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.

  • Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

  • Do not perform testing on any of our partners (banks, credit card companies, loan companies, etc). Any such activity may result in removal from our program.


Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.