FIS

Advancing the ways the world pays, banks and invests.

  • Points – $20,000 per vulnerability
  • Safe harbor
Submit report

FIS is unpausing

Good day everyone,

We are excited to announce that we have resumed our public program. We appreciate everyone’s patience as we worked through reports that had piled in over the holidays. Additionally, in an effort to streamline things, during our pause we have put together some additional points below that we hope will clear up any uncertainties or questions researchers might have.

  1. Researchers are expected to provide a plausible demonstration of impact; but FIS will review with their internal context and may increase or decrease priority based on the outcome of the investigation.
        a. We must justify priority and payment by the code samples/screenshots/movies provided in the researcher’s submission

  2. Vulnerabilities will be rated using Bugcrowd VRT; and assigned category priority may be adjusted to a higher or lower priority according to the following criteria:
        a. Everything is contextual
            i. Environment (prod/non-prod data)
            ii. Impact demonstrated by the researcher
            iii. Relevant feedback from the app team
            iv. Risk to the organization
            v. Where it lands on the payment matrix
        b. e.g., Two P1 submissions for the same vulnerability in different applications could potentially be different priorities or payouts

  3. Our program evolves over time, which will affect priority and payment for submissions
        a. Payment for certain issues can change
        b. Our methodology for determining impact can change
        c. We can’t retroactively adjust past submissions to reflect the current program stance
            i. i.e. take money back from a submission paid higher than it is currently paid

Please note:

Sensitive Data

  • Once sensitive data (including personally identifiable information (PII) or financial information) is identified, immediately halt your activity, purge related data from your system, and report the finding to FIS.

  • If PII is discovered, indicate the TYPE of PII in the report (i.e., SSN, name, address, etc.).

  • Do NOT submit any reports with PII, any report with PII will be closed and not paid out.

Why was my P1 and payment lower for a ‘critical’?

It could be that the environment you submitted against was a test environment and not feasible in production. Also, as an example, something like default creds on a marketing panel with no sensitive data, no write access and essentially no functionality will not result in a P1.

Why was my report paid lower than something I have reported in the past that is similar in nature?

Could be a difference in the applications, their functions, the data.. etc. Also, could be an analysis and change in our pay matrix.

Why is my report taking so long to triage and payout?

With some assets, due to mergers or acquisitions it can take a bit longer to identify owners. Also, we need to work closely with the application owners to assess the impact and nature of the data.

Thank you all again for your patience, and happy hunting!

Mati_bugcrowd
Mati_bugcrowd