Program stats

5 vulnerabilities rewarded

n/a average response time

$491.67 average payout (last 12 weeks)

Latest hall of famers

Recently joined this program

359 total

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

With over 75 million members, Credit Karma is working to make financial progress possible for everyone. Since 2007, we have been knocking down barriers that block the path to financial health, helping our members make informed choices and feel confident about their opportunities.

Credit Karma provides free credit scores and credit reports from national credit bureaus TransUnion and Equifax, alongside daily credit monitoring from the TransUnion. Users can see updates on their credit scores and credit reports on Credit Karma once a week. Credit Karma also provides credit tools, such as a Credit Score Simulator, which simulates the effect of potential financial actions on a user's credit score; and tailored financial recommendations based on each individual user's credit profile.

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings with the following amendments:

  • P5 - Automatic User Enumeration
  • P5 - Manual User Enumeration
  • P5 - Open Redirect GET-Based

Please follow Bugcrowd's Terms & Conditions when testing. Failure to follow those policies will result in your account being banned.

Please do not change your test email address as this would put you out of compliance with our program.

Targets

Out of scope

Any domain/property of Credit Karma not listed in the targets section is out of scope. This includes any/all subdomains not listed above.

Access

Each researcher will be given one test account. Please do not change your test email address as this would put you out of compliance with our program. This will be verified during report submission. Please also follow the guide below to obtain credentials.

1.) To request access to the program, first log into your Bugcrowd researcher account.

  • Current Researchers can log in here: https://bugcrowd.com/user/sign_in.
  • New researchers can sign up here: https://bugcrowd.com/user/sign_up.

2.) Once signed in, please email support@bugcrowd.com to request credentials.

  • Please use the subject line '@@@@Credit Karma Credential Request@@@@'.

3.) Bugcrowd will distribute your access code as quickly as possible.

  • Please allow 24 business hours (PST) for your access to be granted.

Android: https://play.google.com/store/apps/details?id=com.creditkarma.mobile&hl=en
iOS: https://itunes.apple.com/us/app/credit-karma-credit-scores-reports-alerts/id519817714?mt=8

Tax: Go to tax.creditkarma.com and log in with your credentials

In order to access the application, researchers MUST go through the following proxy:

IP: 52.6.69.30
Port: 25603
Proxy authentication: bugcrowd:bugcr0wd

See here https://support.portswigger.net/customer/en/portal/articles/2363078-burp-suite-options-upstream-proxy-servers for more information on setting up burp to work with an upstream proxy.

Focus Areas

  • Authentication Protocol Vulnerabilities (For e.g. OAuth Implementation Flaws)
  • Authentication Handoff from creditkarma.com to tax.creditkarma.com
  • Tax Refund Destination Manipulation

Out-of-Scope

  • We will not accept vulnerabilities for that are related to miscalculation. This includes miscalculated Tax Returns, etc.
  • IRS or other external entities
  • All of our partners (banks, credit card companies, loan companies, etc) are strictly out of scope. Please understand that testing our partners will put this bug bounty program in jeopardy. Due to this, we will, unfortunately, have to remove researchers from our program who violate this rule.
  • Do not test the physical security of Credit Karma’s offices, employees, data centers, etc.
  • Do not test using social engineering techniques (this includes phishing attacks against Credit Karma employees/contractors).
  • Do not perform DoS or DDoS attacks.
  • Do not in any way attack our end users, or engage in the trade of stolen user credentials.
  • We will not accept issues that are a result of pivoting. The only proof of initial foothold is necessary.
  • Support tickets (zendesk.creditkarma.com and help.creditkarma.com)
  • Logout CSRF
  • Spam (including issues related to SPF/DKIM/DMARC)
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages
  • Fingerprinting/banner disclosure on common/public services
  • Disclosure of known public files or directories, (e.g. robots.txt)
  • CSRF in forms that are available to anonymous users (e.g. the contact form)
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Reports About Weak Password Policy
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies
  • Lack of Security Speedbump when leaving the site
  • Lack of Captcha/reCaptcha
  • Lack of 2-factor authentication
  • OPTIONS HTTP method enabled
  • HTTPS Mixed Content Scripts
  • SSL/TLS scan reports (this means output from sites such as SSL Labs)
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability
  • Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console)

iOS Application:

  • Attacks requiring physical access to a user's device
  • Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries
  • Path disclosure in the binary
  • Lack of obfuscation is out of scope
  • Bypass certificate pinning on rooted devices
  • Lack of jailbreak detection is out of scope
  • Lack of binary protection (anti-debugging) controls
  • Sensitive information retained as plaintext in the device’s memory
  • OAuth "app secret" hard-coded/recoverable in apk
  • Crashes due to malformed URL Schemes
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits (exploits only possible in a jailbroken environment)
  • User data stored unencrypted on the file system on rooted devices
  • Reports from static analysis of the binary without an accompanying PoC that exploits some business logic or security control

Android Application:

  • Attacks requiring physical access to a user's device
  • Lack of root detection
  • Bypass certificate pinning on rooted devices
  • Lack of obfuscation
  • Lack of binary protection
  • Sensitive information retained as plaintext in the device’s memory
  • Shared links leaked through the system clipboard
  • Any URIs leaked because a malicious app has permission to view URIs opened
  • Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceiver (exploiting these for sensitive data leakage is commonly in scope)
  • Vulnerabilities found in a Credit Karma application that was not acquired from Credit Karma’s official Play store account.
  • OAuth "app secret" hard-coded/recoverable in apk
  • Sensitive data retrieved as plaintext from disk on rooted devices
  • User data stored unencrypted on external storage on rooted devices
  • Reports from static analysis of the binary without an accompanying PoC that exploits some business logic or security control

Rewards:

Priority Reward ($)
P1 $1,500
P2 $750 - $900
P3 $250 - $400
P4 $100

Rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for Informational (P5) findings. Learn more about Bugcrowd’s VRT.