FIS

  • Points – $20,000 per vulnerability
  • Safe harbor

Program stats

  • Vulnerabilities rewarded 1117
  • Validation within 11 days 75% of submissions are accepted or rejected within 11 days
  • Average payout $5,149.28 within the last 3 months

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program or engagement does not allow disclosure. You may not release information about vulnerabilities found in this program or engagement to the public.

Introduction

No technology is perfect, and as the threat landscape evolves, it becomes increasingly important for organizations to secure their assets. FIS believes that working with skilled security researchers across the globe is an integral part in keeping our businesses and customers safe.

By researchers proactively identifying vulnerabilities in FIS application environments, it will aid in enhancing our overall security posture and enable us to better protect our customers and their data. We are excited for you to participate as a security researcher and help FIS become more secure. Good luck, and happy hunting!

 

Policy

FIS looks forward to working with the security community and appreciates the time and effort researchers put towards our program. FIS will make a best effort to respond to incoming reports within 5 business days and make a bounty determination after validating a legitimate security issue within 10 business days. We will try to keep researchers informed about our progress throughout the process.

FIS has defined a list of general program rules, as well as rules regarding specific circumstances. Researchers must adhere to the stated rules and are encouraged to review all the rules presented in this brief. Any rule violations could potentially deem a submission ineligible for reward.

While scope is covered in more detail in the program rules, it's worth noting that FIS is a large service provider. There are many applications that we provide hosting or support services for, but we don't always own those assets. Depending on the specific situation, submissions may be deemed out of scope for this reason.

Additionally, when FIS publicly announces we are divesting an existing business asset, we will no longer accept any Bug Bounty submissions on the asset. If you have questions regarding scope, feel free to contact Bugcrowd Support Portal to confirm asset ownership.

Our program evolves over time, so researchers are also encouraged to periodically review this program page for any rule changes. Researchers should also visit the Announcements page for program notifications.

 

Important Announcements

This section highlights key program announcements for your reference. This section will update periodically as program conditions change.

1) FIS IdP assets are now back in scope. (10/3/2023)

2) Do not submit any reports containing Personally Identifiable Information (PII). Some examples of PII include the following:

  • Social Security Number
  • Name
  • Address
  • Email address
  • Phone number
  • Etc.

 

Screenshots may be included in submissions, but any PII data must be redacted. Any report with PII will be closed and not paid out.

 

Program Rules

In an effort to assist in deconflicting logs and traffic, we are heavily enforcing a new rule on our program. Effective immediately, please include the following custom header in any testing activity against FIS assets:

X-Bug-Bounty:BugCrowd-<username>

The ability to deconflict Bug Bounty traffic will not only assist us when we are reviewing reports and activity, but will also minimize the potential for business impact. Failure to include the "X-Bug-Bounty" custom header will result in a reduced payout of 75%.

 

  • See the "Application Access" section for rules on authenticated testing.
  • Do not publicly disclose a bug.
  • Do not perform any testing that causes degradation to FIS or customer assets (e.g., Denial of Service (DoS), heavy automated scanning, etc.).
  • Impacting our customers or customer data without our explicit approval is strictly prohibited.
  • Researchers cannot utilize valid end-user credentials for any purpose.
    • This is for legal and privacy compliance.
  • No brute forcing log in credentials.
  • Data exfiltration is strictly prohibited.
  • Researchers cannot purchase a service or request a product demo and then utilize any provisioned credentials for testing purposes.
  • We reserve the right not to pay bounties for security bugs found in sites that are not on a product, service, or piece of infrastructure owned, operated, or maintained by FIS or any FIS-acquired entity.
    • For example, assets that are 3rd party hosted, 3rd party owned, or 3rd party supported may be considered out of scope.
    • If you have questions regarding scope, please contact Bugcrowd Support Portal.
  • We reserve the right not to pay bounties for security bugs in or caused by additional third-party software (e.g., binary plugins, extensions, etc.).
  • Vulnerabilities are only eligible if they have not been previously discovered by our normal scanning tools, penetration tests, or other processes and sources.
  • Vulnerabilities must be exploitable directly from the internet.
  • Vulnerabilities eligible for payout must be unauthenticated or discovered with default or self-registered credentials.
  • Any vulnerabilities that use credentials obtained by means other than intended self-registration will be subject to a reduced payout.
  • Any proof of concepts should not include images or statements that could cause reputational damage to FIS or its customers (e.g., brand damage or tagging on takeover pages).
  • Multiple instances of the same application and vulnerability combination are only eligible for a single payout.
  • In cases where there is shared code between multiple assets, bounties will only be paid for one instance of a vulnerability, as only one fix will need to be implemented in the shared code base.
  • The following actions are forbidden on internal FIS systems:
    • Internal pivoting
    • Scanning
    • Vulnerability exploitation
  • If you have identified a Remote Code Execution (RCE) or similar vulnerability, please feel free to contact Bugcrowd Support Portal and determine the best way to demonstrate a safe proof of concept.
  • Social engineering (e.g., phishing, vishing, smishing, etc.) is strictly prohibited.
  • Please provide detailed reports with reproducible steps.
    • Reports without sufficient details to reproduce the issue will not be eligible for a reward.
  • Any potential or theoretical vulnerabilities that are mentioned without demonstration of exploitability will not be paid out.
    • Exploitations must remain within the guidelines of our scope and program rules.
  • Submit one vulnerability per report, unless you can chain the vulnerabilities.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
    • Post-authentication vulnerabilities are much more likely to have internal duplicates and single core fixes.
  • Priority and payment are based on the environment (e.g., production, UAT, development, etc.), the vulnerability, and an internal analysis of the asset and relevant data.

 

Multiple Vulnerability Rules

1) In instances where multiple vulnerabilities are identified against the same asset, as the result of one underlying issue:

  • We will accept the first two submissions.
  • All subsequent submissions will be considered duplicates.

 

Example:

Submission 1: Unauthenticated IDORs at https://fisglobal.com/rest/*

Affected Items:
https://fisglobal.com/rest/method1/getUser/10
https://fisglobal.com/rest/method1/getClient/15
https://fisglobal.com/rest/method2/reports/20

The above submission will be accepted.

 

Submission 2: Unauthenticated IDORs at https://fisglobal.com/rest/*

Affected Items:
https://fisglobal.com/rest/method5/deleteUser/12
https://fisglobal.com/rest/method5/exports/daily/3

The above submission will be accepted.

 

Submission 3: Unauthenticated IDORs at https://fisglobal.com/rest/*

Affected Items:
https://fisglobal.com/rest/method3/updateRecord/25
https://fisglobal.com/rest/method4/settings/terminal/30

The above submission will be marked “Duplicate”.

 

2) In instances where multiple vulnerabilities are identified against the same asset, as the result of separate underlying issues, rule 1 will not apply.

 

Example:

Submission 1: RCE on fisglobal.com via CVE-2024-1234

Affected Items:
https://fisglobal.com/abc/endpointA

The above submission will be accepted.

 

Submission 2: RCE on fisglobal.com via Unrestricted File Upload

Affected Items:
https://fisglobal.com/abc/endpointB

The above submission will be accepted.

 

Submission 3: RCE on fisglobal.com via Java Deserialization

Affected Items:
https://fisglobal.com/abc/endpointC

The above submission will be accepted.

 

In addition to the rules outlined above, any target that hits $50,000.00 in rewards in a 30-day period will be temporarily removed from scope for evaluation.

 

If you have any questions, please reach out to Bugcrowd Support Portal.

 

Sensitive Data

  • Once sensitive data (e.g., PII, financial information, etc.) is identified, immediately halt your activity, purge related data from your system, and report the finding to FIS.
  • If PII is discovered, indicate the type of PII in the report (e.g., Social Security Number, name, address, etc.).
  • Do not submit any reports with PII.
    • Any report with PII will be closed and not paid out.

 

Out of scope vulnerabilities

When reporting vulnerabilities, please consider the following:

  1. The attack scenario.
  2. The exploitation potential of the vulnerability.
  3. The security impact of the vulnerability.

 

The following issues are considered out of scope and are not included within our program:

  • Reflected and DOM Cross-Site Scripting (XSS).
  • Social engineering-based attacks (e.g., getting a user to click an attacker-controlled link).
  • Subdomain Takeovers.
  • Denial of Service, Rate Limiting, or Spamming issues (e.g., layer 7 DOS attacks, Slowloris, etc.).
  • Clickjacking on pages with no sensitive actions.
  • Cross-Site Request Forgery (CSRF).
  • Man in the Middle (MITM) attacks.
  • Attacks requiring physical access to a user's device.
  • Vulnerabilities that require privileged access to a victim's device.
  • Previously known vulnerable libraries without a working proof of concept.
  • Comma Separated Values (CSV) injection.
  • Content spoofing or text injection (e.g., HTML or CSS injection).
  • IFRAME injection.
  • Reports from automated tools or scans without accompanying demonstration of exploitability.
  • Software version disclosure without accompanying demonstration of exploitability.
  • Use of a known-vulnerable library without evidence of exploitability.
  • Open redirects.
  • Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), or Domain-based Message Authentication Reporting and Conformance (DMARC) record issues.
  • Missing best practices.
  • Insecure SSL or TLS issues (e.g., ciphers, certificates, etc.).
  • User existence or enumeration vulnerabilities.
  • Password or account recovery policies (e.g., reset link expiration, password complexity, etc.).
  • Any physical attempts against FIS property or data centers.
  • Missing security headers (e.g., HTTP Strict-Transport-Security (HSTS), Content Security Policy (CSP), etc.) that do not lead directly to a vulnerability.
  • Presence of the “autocomplete” attribute on web forms.
  • Host header injections unless you can show how they can lead to stealing user data.
  • Insecure cookie settings for non-sensitive cookies.
  • Vulnerabilities affecting users of outdated browsers or platforms.
  • Issues related to software or protocols not under FIS control.
  • Issues related to descriptive or verbose error messages.
  • Vulnerabilities in third party applications that make use of an FIS API.
  • Recently disclosed zero-day vulnerabilities.
    • Please see the announcement regarding this.
    • We will reward 10% of the payout within the first 14 days from the vendor releasing a patch, or the full amount after 14 days.
  • Flash-based vulnerabilities.
  • ALL Github and Postman leaks.
  • Any kind of credentials leak.

 

Any reports of vulnerabilities on domains in the "Out of Scope" list will be closed as N/A and will not qualify for a bounty.

 

Public Disclosure

Please do not discuss this program or any vulnerabilities (including resolved vulnerabilities) outside of the program without express consent from FIS. FIS strictly prohibits the discussion or disclosure of reports outside of the researcher that submitted the report, BugCrowd, or FIS.

 

Internal Duplicates

Due to alternate means of vulnerability discovery (e.g., scanning, penetration tests, etc.), there will be some vulnerabilities that we're already aware of. We will work to be as transparent as possible should you file a duplicate to an internal issue.

 

Application Access

Please review the following points regarding application access:

  • FIS does not provision accounts for testing.
  • FIS does not condone the sharing of credentials.
  • FIS reserves the right to not pay bounties on reports found to be using valid end-user credentials.
  • Researchers are forbidden from soliciting credentials from FIS clients, including the customers of FIS clients.
  • Any vulnerabilities that use credentials obtained by means other than self-registration will be subject to a reduced payout.
  • Wherever possible, researchers should include 'Bugcrowd Bug Bounty' in plaintext to allow our SOC team to deconflict logging data.
  • Access from Digital Ocean IPs may be restricted.
  • Access from non-US IPs may be restricted.

 

Note:

Please ensure that any FIS site you're testing actually belongs to FIS. Reviewing SSL certs, whois records, and DNS entries are potential ways to determine ownership. Please do not rely on Wikipedia to confirm what companies FIS has acquired. If you have any concerns about whether or not an asset belongs to FIS, please reach out to Bugcrowd Support Portal.

FIS provides a wide range of financial products and services, including web development, application hosting, and DNS services. As such, there will be a number of sites where FIS only owns a section of them. There will also be situations where we host the site and own the domain but are not contractually responsible for the security of that site.

We strive to be as transparent as possible with our bug bounty community. If a report comes in that meets this criteria, we will work with the researcher to determine the best path forward, which may include engaging the customer or client.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.