FIS

We hope everyone is having a fantastic holiday! Our number one priority is keeping our customers and clients safe, however recently, we have seen a handful of activities that have directly impacted our customers and clients. In response to this, we reviewed our program details, policy, and rules to ensure they are clear to prevent any impacts in the future.

First and foremost, do not perform any testing that causes degradation to FIS services, e.g. denial of service, or heavy automated scanning. We have seen instances of heavy automated scanning that have had an impact on the availability of a service. This activity can result in a reduced payout or no payout at all. Please use best practices when scanning our environments.

Secondly, those who have been here since the beginning know that FIS does not provision access for any researcher. Our program is built around black box testing and as such researchers should be performing testing from an unauthenticated perspective, the use of credentials obtained by self-registration, or the use of default credentials. We still award broken access controls, authentication bypass, and account takeovers attacks. We have updated our Access/Credentials section of the program page to better outline this, see below:

• FIS does not provision accounts for testing.
• FIS does not condone the sharing of credentials. FIS reserves the right to not pay bounties on reports found to be using valid end-user credentials.
• Researchers are forbidden from soliciting credentials from FIS clients including the customers of FIS clients.
• Any vulnerabilities that use credentials obtained by means other than self-registration will be subject to a reduced payout.

Finally, please take some time to read over our entire program page and reach out to us if you have any questions about certain rules.

Name	URL
FIS	https://bugcrowd.com/programs/fis

Happy holidays and happy hunting!

FIS Security Team