Under Armour AppSec
- $125 – $2,500 per vulnerability
TO MAKE ALL ATHLETES BETTER THROUGH PASSION, DESIGN AND THE RELENTLESS PURSUIT OF INNOVATION.
Our Brand is about energy and passion. It’s about an obsession with Fighting On Together to be stronger and more powerful - to Always Connect. We believe in Thinking Beyond to invent, innovate, and Create Fearlessly. We believe in staying connected To Athletes and know that adversity even in the digital world can bring us together. We know that the world expects great things from Under Armour and that daring to lead means thinking beyond. Our Brand Voice has always been simple and bold, as illustrated in our earliest commercial spot from 2003, rallying an entire generation of athletes to PROTECT THIS HOUSE.
Under Armour Mission & Values
We want to engage the security research community as partners & teammates to Stay True, protect our athletes, and protect their data. Doing so enables our Global Community of athletes to Celebrate their Goals within the largest digital health & fitness community in the world.
There are no odds too big. No goal too high. Will you PROTECT THIS HOUSE?
Under Armour VRT Amendments
|Bug Type||Original Priority Rating||Under Armour Priority Rating|
|Injection File – Inclusion – Local||P1||P3|
|Injection – XML External Entity Injection (XXE)||P1||P2|
|Cross-Site Scripting (XSS) – Stored||P2||P3|
|Security Misconfiguration Misconfigured – DNS - With POC (High Impact Subdomain Takeover)||P2||P3|
|Security Misconfiguration Misconfigured – DNS - With POC (Basic Subdomain Takeover)||P3||P4|
|Sensitive Misconfiguration – Weak Password Policy – Complexity, Both Length and Char Type Not Enforced||P3||P5|
|Security Misconfiguration – Lack of Password Confirmation - Change Email Address||P4||P5|
|Security Misconfiguration – Lack of Password Confirmation - Change Password||P4||P5|
|Security Misconfiguration – Lack of Password Confirmation - Delete Account||P4||P5|
|Security Misconfiguration – Unsafe File Upload – No Antivirus||P4||P5|
|Security Misconfiguration – Unsafe File Upload – No Size Limit||P4||P5|
|Security Misconfiguration – Weak Password Policy – Complexity, Length Not Enforced||P4||P5|
|Security Misconfiguration – Weak Password Policy – Complexity, Char Type Not Enforced||P4||P5|
|Security Misconfiguration – Weak Reset Password Policy – Token is Not Invalidated After Use||P4||P5|
|Security Misconfiguration – Captcha Bypass – Implementation Vulnerability||P4||P5|
|Sensitive Data Exposure – EXIF Geolocation Data Not Stripped From Uploaded Images – Automatic User Enumeration||P3||P5|
|Sensitive Data Exposure – EXIF Geolocation Data Not Stripped From Uploaded Images – Manual User Enumeration||P4||P5|
|Missing Function Level Access Control – Username Enumeration – Data Leak||P4||P5|
|Sensitive Data Exposure – Private API Keys – No POC||P1||P5|
|Application - Level Denial-of-Service (DoS) – Low Impact and/or Medium Difficulty – Password Length DoS (Server-Side)||P4||P5|
|Broken Access Control (BAC) - Username/Email Enumeration - Non-Brute Force||P4||P5|
|Sensitive Data Exposure - Visible Detailed Error/Debug Page - Detailed Server Configuration||P4||P5|
Scope and rewards
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email email@example.com. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.