We are committed to ensuring a safe and secure service for our customers and we value the work done by security researchers in improving the security of our products. We are committed to working with this community to verify, reproduce, and respond to reported vulnerabilities. We encourage the community to participate in our responsible reporting process.
When participating in our responsible reporting process, you can expect us to:
- Work with you to understand and validate your report, including a timely triage of your submission by our partner, Bugcrowd
- Work to remediate discovered vulnerabilities in line with our internal vulnerability management policy (from 1 to 180 days depending on severity)
- Keep you informed when the issue is fixed; and
- If eligible, reward you accordingly
If issues reported to our bug bounty program affect a third-party library, external project, or another vendor, we reserve the right to forward details of the issue along to that party without further discussion with you (the researcher). We will do our best to coordinate and communicate with you throughout the process. However, these bugs will not be rewarded.
To benefit from the knowledge of security researchers, we encourage responsible disclosure of vulnerabilities in our platform. To avoid confusion between legitimate security research through the Bugcrowd program and a malicious attack, we ask that you attempt, in good faith, to:
- Play by the rules. This includes following our disclosure policy, including Bugcrowd’s standard disclosure terms and any other relevant agreements;
- Handle the confidentiality of details of any discovered vulnerabilities according to our Disclosure Policy;
- Report any vulnerability you’ve discovered promptly, provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and if applicable, a Proof of Concept;
- Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
- Avoid violating the privacy of others, disrupting our systems, destroying or modifying data not belonging to your test account, and/or harming user experience;
- If a vulnerability provides unintended access to data: limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept (PoC); and cease testing. Submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), sensitive data, or proprietary information;
- Although usage of automated vulnerability discovery tools is allowed, you should exercise common sense and avoid overly broad
scans that initiate a huge amount of needless requests. This might result in us rate-limiting or blocking
you, or closing your testing account. Do not simply send us a scanner's default output - focus on specific finding and clearly demonstrate impact (PoC). When scanning, use your Bugcrowd testing account (authenticated scans) or make it clear with the
User-Agentheader that you are a researcher. As we're seeing legitimate attacks, this information is useful for us for triage;
- You should only interact with test accounts you own;
- Do not engage in extortion;
- Use the official Bugcrowd channel to discuss vulnerability information with us;
We consider activities conducted consistent with this policy to constitute “authorized” access under anti-hacking laws. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a claim against you for circumventing the technological measures we have used to protect the applications in scope. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy.
You are expected, as always, to comply with all applicable laws. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please reach out to us directly before going any further.
PGP Fingerprint: C8A1 9A40 C078 006A 4FD2 5F88 EC52 91DC 8DC2 8D45 PGP key published at: pgp.mit.edu mailto: soc [@] transferwise.com
This program does not allow disclosure. Although we have chosen to adopt a non-disclosure policy, this is only temporary. In the meantime, you MUST not release information to any third party (and the public) about vulnerabilities found and/or remediation measures implemented.
This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the severity rating and prioritization of issues.
Responsible Disclosure Guidelines
We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you providing you comply with the following Responsible Disclosure Guidelines:
- Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC)
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
- Do not modify or access data that does not belong to you
This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the rating/prioritization of issues.
Scope and rewards
|Technical severity||Reward range|
|p1 Critical||$3,000 - $4,000|
|p2 Severe||$1,000 - $1,500|
|p3 Moderate||$300 - $500|
|p4 Low||$100 - $150|