Program stats

44 vulnerabilities rewarded

3 days average response time

$309.38 average payout (last 12 weeks)

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Simple offers a bank account that has all the tools you need to manage your money built right in. The funds in your Simple account are held by our partner bank, The Bancorp Bank, Member FDIC. Simple provides everything else, including the Simple Visa® Card, our powerful iOS and Android apps, a beautifully designed web interface, and customer support that really cares.

Simple understands the devotion and effort that security work requires. As such, we encourage (and reward) the responsible disclosure of any vulnerabilities to us.

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization of findings. Please see below for exclusions specific to this program.

Targets

Out of scope

If available, please include the value of the X-Simple-Request-Id Response header in your submission to help us more quickly validate your findings.

Focus Areas:

  • Static marketing site https://www.simple.com
  • Main web application https://bank.simple.com
  • Mobile API gateway https://api.simple.com
  • Sign-up service https://www.simple.com/signup
  • Simple for iOS https://itunes.apple.com/us/app/simple-better-banking/id479317486
  • Simple for Android https://play.google.com/store/apps/details?id=com.banksimple

Out of Scope / Additional Information:

  • Do not use vulnerabilities to access, modify, harm, or otherwise alter any Simple (or its customers') data.
  • Do not exploit vulnerabilities except for purposes of demonstrating it to Simple personnel.
  • Please contact us through the Bugcrowd Crowdcontrol Platform if you are unsure of exploitability and we will work with you to verify it safely.
  • Note: US based researchers may apply for an account, however, approval may take up to one week. Non-US based researchers may conduct unauthenticated testing as well as mobile testing.

The following finding types are also excluded from the bounty:

  • Disclosure of known public files or directories, (e.g. robots.txt).

Rewards:

Category Reward ($)
P1 $3,000
P2 $900
P3 $300
P4 $100

Rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for Informational (P5) findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.