FIS
- Points – $20,000 per vulnerability
Updates to program rules
We have a couple of changes happening with out program rules. Please see outlined changes below:
The following rule is going into effect immediately:
“In instances where multiple vulnerabilities are identified against the same asset, as the result of one underlying issue:
-We will accept the first two submissions.
-All subsequent submissions will be considered duplicates.
Example:
Submission 1: Unauthenticated IDORs at https://fisglobal.com.com/rest/*
Affected Items:
-https://fisglobal.com.com/rest/method1/getUser/10
-https://fisglobal.com.com/rest/method1/getClient/15
-https://fisglobal.com.com/rest/method2/reports/20
The above submission will be accepted.
Submission 2: Unauthenticated IDORs at https://fisglobal.com.com/rest/*
Affected Items:
-https://fisglobal.com.com/rest/method5/deleteUser/12
-https://fisglobal.com.com/rest/method5/exports/daily/3
The above submission will be accepted.
Submission 3: Unauthenticated IDORs at https://fisglobal.com.com/rest/*
Affected Items:
-https://fisglobal.com.com/rest/method3/updateRecord/25
-https://fisglobal.com.com/rest/method4/settings/terminal/30
The above submission will be marked “Duplicate”.
In instances where multiple vulnerabilities are identified against the same asset, as the result of separate underlying issues, the above will not apply.
Example:
Submission 1: RCE on fisglobal.com.com via CVE-2024-1234
Affected Items:
-https://fisglobal.com.com/abc/endpointA
The above submission will be accepted.
Submission 2: RCE on fisglobal.com.com via Unrestricted File Upload
Affected Items:
-https://fisglobal.com.com/abc/endpointB
The above submission will be accepted.
Submission 3: RCE on fisglobal.com.com via Java Deserialization
Affected Items:
-https://fisglobal.com.com/abc/endpointC
The above submission will be accepted.”
In addition to the rules outlined above, any target that hits $50,000.00 in rewards in a 30 day period will be temporarily removed from scope for evaluation.
If you have any questions, please reach out to support@bugcrowd.com.
As always, please be sure to review the program brief in detail, and if you have any questions, please reach out support@bugcrowd.com.
Happy Hunting and weekend!
-Emily and the FIS Team!