Credit Karma

  • $100 – $5,000 per vulnerability
  • Partial safe harbor

Program stats

  • Vulnerabilities rewarded 96
  • Validation within 3 days 75% of submissions are accepted or rejected within 3 days
  • Average payout $700 within the last 3 months

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program or engagement does not allow disclosure. You may not release information about vulnerabilities found in this program or engagement to the public.

Credit Karma is a personal finance technology company with nearly 130 million members in the United States, Canada and UK. The company offers a suite of products for members to monitor and improve credit health and provides identity monitoring, among other things. Since 2007, we have been knocking down barriers that block the path to financial health, helping our members make informed choices and feel confident about their opportunities.


Ratings/Rewards

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Please note that the following classes will be marked as (Won't Fix):

  • P5 - Open Redirect GET-Based
  • Broken social media link hijacking

Program Rules

  • Any access to member data outside of test accounts must be deleted upon access
  • PII submission should avoid sending PII but reproduction steps to acquire said PII is necessary
  • Any screenshots with PII should be redacted
  • Do not perform testing that involves Recurring and/or scheduled scans on our platform.
  • Do not perform testing that involves enumerating and/or Brute Forcing Login and/or Registration/ Account recovery.
  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
  • Do not perform testing on any of our partners (banks, credit card companies, loan companies, etc). Any such activity may result in removal from our program.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.