Credit Karma

  • $200 – $5,000 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

53 vulnerabilities rewarded

Validation within 3 days
75% of submissions are accepted or rejected within 3 days

$750 average payout (last 3 months)

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Credit Karma is a personal finance technology company with more than 85 million members in the United States and Canada, including almost half of all millennials. The company offers a suite of products for members to monitor and improve credit health and provides identity monitoring and auto insurance estimates. Since 2007, we have been knocking down barriers that block the path to financial health, helping our members make informed choices and feel confident about their opportunities.


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Please note that the following classes will be marked as (Won't Fix):

  • P5 - Automatic User Enumeration
  • P5 - Manual User Enumeration
  • P5 - Open Redirect GET-Based


  • Please add the following User Agent during the course of your testing: UA-BugBounty
  • Please follow Bugcrowd's Terms & Conditions when testing. Failure to follow those policies will result in your account being banned.
  • Please do not change your test email address as this would put you out of compliance with our program.
  • Do not perform testing that involves Recurring and/or scheduled scans on our platform.


$ API, iOS, Android Web
P1 $5,000 $3,000
P2 $2,250 $1,800
P3 $700 $600
P4 $250 $200


In scope

Target name Type
https://* Website Testing Website Testing Website Testing API Testing
Credit Karma Android Mobile Application Android
Credit Karma iOS Mobile Application iOS Website Testing Website Testing Website Testing
Credit Karma Canada iOS App iOS

Out of scope

Target name Type Website Testing Website Testing Website Testing Website Testing* Website Testing Website Testing Website Testing Website Testing

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Credit Karma not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to before submitting.


Each researcher will be given one test account. Please do not change your test email address as this would put you out of compliance with our program. This will be verified during report submission.

Tax: Go to and log in with your credentials or login to and click on the Tax tab.

  • The phone number used to verify your test account is (111) 111-1111 and OTP is all 1's (111111)

Focus Areas

  • Authentication Protocol Vulnerabilities (For e.g. OAuth Implementation Flaws)
  • Authentication Handoff from to
  • Tax Refund Destination Manipulation



  • Do not set recurring scans. Doing so may result in you being blocked.
  • We will not accept vulnerabilities for that are related to miscalculation. This includes miscalculated Tax Returns, etc.
  • IRS or other external entities
  • All of our partners (banks, credit card companies, loan companies, etc) are strictly out of scope. Please understand that testing our partners will put this bug bounty program in jeopardy. Due to this, we will, unfortunately, have to remove researchers from our program who violate this rule.
  • Do not test the physical security of Credit Karma’s offices, employees, data centers, etc.
  • Do not test using social engineering techniques (this includes phishing attacks against Credit Karma employees/contractors).
  • Do not perform DoS or DDoS attacks.
  • Do not in any way attack our end users, or engage in the trade of stolen user credentials.
  • We will not accept issues that are a result of pivoting. The only proof of initial foothold is necessary.
  • Support tickets ( and
  • Spam (including issues related to SPF/DKIM/DMARC)
  • Reports About Weak Password Policy
  • XMLRPC related brute-force/enumeration/DDoS Attacks


  • Attacks requiring physical access to a user's device
  • User data stored unencrypted on the file system on rooted devices

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.