Credit Karma

  • $200 – $5,000 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

56 vulnerabilities rewarded

Validation within 2 days
75% of submissions are accepted or rejected within 2 days

$700 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Credit Karma is a personal finance technology company with more than 85 million members in the United States and Canada, including almost half of all millennials. The company offers a suite of products for members to monitor and improve credit health and provides identity monitoring and auto insurance estimates. Since 2007, we have been knocking down barriers that block the path to financial health, helping our members make informed choices and feel confident about their opportunities.


Ratings/Rewards

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Please note that the following classes will be marked as (Won't Fix):

  • P5 - Open Redirect GET-Based

Program Rules

  • Please add the following User Agent during the course of your testing: UA-BugBounty
  • Do not perform testing that involves Recurring and/or scheduled scans on our platform.
  • Do not perform testing that involves enumerating and/or Brute Forcing Login and/or Registration.
  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
  • Do not perform testing on any of our partners (banks, credit card companies, loan companies, etc). Any such activity may result in removal from our program.

Rewards:

$ API, iOS, Android Web
P1 $5,000 $3,000
P2 $2,250 $1,800
P3 $700 $600
P4 $250 $200

Targets

In scope

Target name Type Tags
https://*.creditkarma.com Website Testing
  • ReactJS
  • Newrelic
  • Website Testing
https://help.creditkarma.com/ Website Testing
  • Bootstrap
  • Website Testing
https://accounts.creditkarma.com Website Testing
  • ReactJS
  • jQuery
  • Modernizr
  • Website Testing
api.creditkarma.com API Testing
  • API Testing
  • HTTP
Credit Karma Android Mobile Application Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
Credit Karma iOS Mobile Application iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
https://tax.creditkarma.com Website Testing
  • ReactJS
  • jQuery
  • Modernizr
  • Website Testing
https://blog.creditkarma.com/ Website Testing
  • jQuery
  • MySQL
  • nginx
  • Wordpress
  • PHP
  • Newrelic
  • Website Testing
https://www.creditkarma.ca/ Website Testing
  • Newrelic
  • Website Testing
Credit Karma Canada iOS App iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI

Out of scope

Target name Type
https://www.creditkarma.com/all/advice Website Testing
appsflyer.com Website Testing
crashlytics.com Website Testing
taplytics.com Website Testing
https://www.creditkarma.com/article/* Website Testing
https://www.creditkarma.com/reviews/ Website Testing
http://socialverification.creditkarma.com/ Website Testing
http://socialverification.stage.creditkarma.com/ Website Testing

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Credit Karma not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.


Access

Each researcher will be given one test account. Please do not change your test email address as this would put you out of compliance with our program. This will be verified during report submission.

Android: https://play.google.com/store/apps/details?id=com.creditkarma.mobile&hl=en
iOS: https://itunes.apple.com/us/app/credit-karma-credit-scores-reports-alerts/id519817714?mt=8
Tax: Go to tax.creditkarma.com and log in with your credentials or login to creditkarma.com and click on the Tax tab.

  • The phone number used to verify your test account is (111) 111-1111 and OTP is all 1's (111111)

Focus Areas

  • Authentication Protocol Vulnerabilities (For e.g. OAuth Implementation Flaws)
  • Authentication Handoff from creditkarma.com to tax.creditkarma.com
  • Tax Refund Destination Manipulation

Out-of-Scope

Web:

  • Enumerating and/or Brute Forcing Login and/or Registration.
  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • Issues that are a result of pivoting - the only proof of initial foothold is necessary.
  • Support tickets (zendesk.creditkarma.com and help.creditkarma.com).
  • Spam (including issues related to SPF/DKIM/DMARC).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting/banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • CSRF in forms that are available to anonymous users (e.g. the contact form).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Reports About Weak Password Policy.
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
  • Lack of Security Speedbump when leaving the site.
  • Lack of Captcha/reCaptcha.
  • Lack of 2-factor authentication.
  • OPTIONS HTTP method enabled.
  • HTTPS Mixed Content Scripts.
  • SSL/TLS scan reports (this means output from sites such as SSL Labs).
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability.
  • Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console).
  • XMLRPC related brute-force/enumeration/DDoS Attacks

iOS/Android:

  • Enumerating and/or Brute Forcing Login and/or Registration.
  • Attacks requiring physical access to a user's device.
  • Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries.
  • Path disclosure in the binary.
  • Lack of jailbreak detection.
  • Lack of binary protection (anti-debugging) controls.
  • Lack of root detection.
  • Lack of obfuscation
  • Lack of binary protection
  • OAuth "app secret" hard-coded/recoverable in apk.
  • Crashes due to malformed URL Schemes.
  • Snapshot/Pasteboard leakage.
  • Runtime hacking exploits (exploits only possible in a jailbroken environment).
  • User data stored unencrypted on the file system on rooted devices.
  • Reports from static analysis of the binary without an accompanying PoC that exploits some business logic or security control.
  • Bypass certificate pinning on rooted devices.
  • Sensitive information retained as plaintext in the device’s memory.
  • Shared links leaked through the system clipboard.
  • Any URIs leaked because a malicious app has permission to view URIs opened.
  • Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceiver (exploiting these for sensitive data leakage is commonly in scope).
  • Vulnerabilities found in a Credit Karma application that was not acquired from Credit Karma’s official Play store account.
  • OAuth "app secret" hard-coded/recoverable in apk.
  • Sensitive data retrieved as plaintext from disk on rooted devices.
  • Reports from static analysis of the binary without an accompanying PoC that exploits some business logic or security control.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.