FIS

Advancing the ways the world pays, banks and invests.

  • Points – $20,000 per vulnerability
  • Safe harbor
Submit report

Updates to program rules

We have a couple of changes happening with out program rules. Please see outlined changes below:

The following rule is going into effect immediately:

“In instances where multiple vulnerabilities are identified against the same asset, as the result of one underlying issue:

-We will accept the first two submissions.
-All subsequent submissions will be considered duplicates.

Example:

Submission 1: Unauthenticated IDORs at https://fisglobal.com.com/rest/*

Affected Items:
-https://fisglobal.com.com/rest/method1/getUser/10
-https://fisglobal.com.com/rest/method1/getClient/15
-https://fisglobal.com.com/rest/method2/reports/20

The above submission will be accepted.

Submission 2: Unauthenticated IDORs at https://fisglobal.com.com/rest/*

Affected Items:
-https://fisglobal.com.com/rest/method5/deleteUser/12
-https://fisglobal.com.com/rest/method5/exports/daily/3

The above submission will be accepted.

Submission 3: Unauthenticated IDORs at https://fisglobal.com.com/rest/*

Affected Items:
-https://fisglobal.com.com/rest/method3/updateRecord/25
-https://fisglobal.com.com/rest/method4/settings/terminal/30

The above submission will be marked “Duplicate”.

In instances where multiple vulnerabilities are identified against the same asset, as the result of separate underlying issues, the above will not apply.

Example:

Submission 1: RCE on fisglobal.com.com via CVE-2024-1234

Affected Items:
-https://fisglobal.com.com/abc/endpointA

The above submission will be accepted.

Submission 2: RCE on fisglobal.com.com via Unrestricted File Upload

Affected Items:
-https://fisglobal.com.com/abc/endpointB

The above submission will be accepted.

Submission 3: RCE on fisglobal.com.com via Java Deserialization

Affected Items:
-https://fisglobal.com.com/abc/endpointC

The above submission will be accepted.”

In addition to the rules outlined above, any target that hits $50,000.00 in rewards in a 30 day period will be temporarily removed from scope for evaluation.

If you have any questions, please reach out to support@bugcrowd.com.

As always, please be sure to review the program brief in detail, and if you have any questions, please reach out support@bugcrowd.com.

Happy Hunting and weekend!

-Emily and the FIS Team!

FIS_EL
FIS_EL