Simple offers a bank account that has all the tools you need to manage your money built right in. The funds in your Simple account are held by our partner bank, The Bancorp Bank, Member FDIC. Simple provides everything else, including the Simple Visa® Card, our powerful iOS and Android apps, a beautifully designed web interface, and customer support that really cares.

Simple understands the devotion and effort that security work requires. As such, we encourage (and reward) the responsible disclosure of any vulnerabilities to us.


In scope

  • * (please read our focus areas/out of scope rules)

If available, please include the value of the X-Simple-Request-Id Response header in your submission to help us more quickly validate your findings.

Focus Areas:
- Static marketing site
- Main web application
- Mobile API gateway
- Sign-up service
- Simple for iOS
- Simple for Android

Out of Scope / Additional Information:
- All third party applications not under Simple's control are out of scope.
- Do not use vulnerabilities to access, modify, harm, or otherwise alter any Simple (or its customers') data.
- Do not exploit vulnerabilities except for purposes of demonstrating it to Simple personnel.
- Please contact us through the Bugcrowd Crowdcontrol Platform if you are unsure of exploitability and we will work with you to verify it safely.
- Note: US based researchers may apply for an account, however, approval may take up to one week. Non-US based researchers may conduct unauthenticated testing as well as mobile testing.

The following finding types are specifically excluded from the bounty:
- Descriptive error messages (e.g. stack traces, application or server errors).
- Login Page / Forgot Password Page account brute force or account lockout not enforced without demonstrating a successful login after a lockout attempt.
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Banner disclosure on common/public services.
- BEAST attack.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking without an exploitable example (e.g. just reporting a missing X-FRAME-OPTIONS header)
- Self-XSS and issues exploitable only through Self-XSS.
- Cross-Site Request Forgery (CSRF) on forms that are available to anonymous users (e.g. the contact form).
- Logout CSRF.
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.

Out of Scope bugs for Android apps

  • Shared links leaked through the system clipboard.
  • Any URIs leaked because a malicious app has permission to view URIs opened
  • Absence of certificate pinning
  • Sensitive data in URLs/request bodies when protected by TLS
  • User data stored unencrypted on external storage
  • Lack of obfuscation is out of scope
  • oauth "app secret" hard-coded/recoverable in apk
  • Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)
  • Any kind of sensitive data stored in app private directory
  • Lack of binary protection control in android app

Out of Scope bugs for iOS apps

  • Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries
  • Absence of certificate pinning
  • Path disclosure in the binary
  • User data stored unencrypted on the file system
  • Lack of obfuscation is out of scope
  • Lack of jailbreak detection is out of scope
  • oauth "app secret" hard-coded/recoverable in apk
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits (exploits only possible in a jailbroken environment)


This bounty follows Bugcrowd’s standard disclosure terms.

This bounty requires explicit permission to disclose the results of a submission.