• Points per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

257 vulnerabilities rewarded

Validation within 1 day
75% of submissions are accepted or rejected within 1 day

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Our Mission:


Our Brand is about energy and passion. It’s about an obsession with Fighting On Together to be stronger and more powerful - to Always Connect. We believe in Thinking Beyond to invent, innovate, and Create Fearlessly. We believe in staying connected To Athletes and know that adversity even in the digital world can bring us together. We know that the world expects great things from Under Armour and that daring to lead means thinking beyond.

Our Brand Voice has always been simple and bold, as illustrated in our earliest commercial spot from 2003, rallying an entire generation of athletes to PROTECT THIS HOUSE.

We want to engage the security research community as partners & teammates to Stay True, protect our athletes, and protect their data. Doing so enables our Global Community of athletes to Celebrate their Goals within the largest digital health & fitness community in the world.

There are no odds too big. No goal too high. Will you PROTECT THIS HOUSE?

#WEWILL #WillFindsAWay

Under Armour Mission & Values

Under Armour VRT Amendments

Bug Type Original Priority Rating Under Armour Priority Rating
A1 - Injection File – Inclusion – Local P1 P3
A1 - Injection – XML External Entity Injection (XXE) P1 P2
A3 - Cross-Site Scripting (XSS) – Stored P2 P3
A5 – Security Misconfiguration Misconfigured – DNS -With POC (High Impact Subdomain Takeover) P2 P3
A5 – Security Misconfiguration Misconfigured – DNS -With POC ( Basic Subdomain Takeover) P3 P4
A5– Sensitive Misconfiguration – Weak Password Policy – Complexity, Both Length and Char Type Not Enforced P3 P5
A5 – Security Misconfiguration – Lack of Password Confirmation - Change Email Address P4 P5
A5 – Security Misconfiguration – Lack of Password Confirmation - Change Password P4 P5
A5 – Security Misconfiguration – Lack of Password Confirmation - Delete Account P4 P5
A5 – Security Misconfiguration – Unsafe File Upload – No Antivirus P4 P5
A5 – Security Misconfiguration – Unsafe File Upload – No Size Limit P4 P5
A5 – Security Misconfiguration – Weak Password Policy – Complexity, Length Not Enforced P4 P5
A5 – Security Misconfiguration – Weak Password Policy – Complexity, Char Type Not Enforced P4 P5
A5 – Security Misconfiguration – Weak Reset Password Policy – Token is Not Invalidated After Use P4 P5
A5 – Security Misconfiguration – Captcha Bypass –Implementation Vulnerability P4 P5
A6 – Sensitive Data Exposure – EXIF Geolocation Data Not Stripped From Uploaded Images – Automatic User Enumeration P3 P5
A6 – Sensitive Data Exposure – EXIF Geolocation Data Not Stripped From Uploaded Images –Manual User Enumeration P4 P5
A7 – Missing Function Level Access Control – Username Enumeration – Data Leak P4 P5
A9 – Using Components with Known Vulnerabilities – Rosetta Flash – With POC P4 P5
B1 – Application-Level Denial-of-Service (DoS) – Low Impact anf/or Medium Difficulty – Password Length DoS (Server-Side) P4 P5
M2 – Insecure Data Storage – Credentials Stored Unencrypted - On External Storage *Sensitive Data Only
M2 – Insecure Data Storage – Sensitive Application Data Stored Unencrypted – On External Storage *UA Definition


In scope

Target name Type
https://www.mapmyfitness.com Other
https://www.mapmyrun.com Other
https://www.mapmyride.com Other
https://www.mapmywalk.com Other
https://www.myfitnesspal.com Other
https://record.underarmour.com/ Other
mapmyfitness.api.ua.com Other
api.myfitnesspal.com/v2/ Other
UA Gemini Record Equipped running shoe that you own or have authorization to test Other
UA HOVR Equipped running shoe that you own or have authorization to test Website
https://www.endomondo.com/ Website
Endomondo iOS iOS
Endomondo Android Android
MapMyFitness iOS iOS
MapMyFitness Android Android
MyFitnessPal iOS iOS
MyFitnessPal Android Android
UA Record iOS iOS
UA Record Android Android
UA Shop iOS iOS
UA Shop Android Android
https://www.underarmour.com Website
https://www.underarmour.co.uk Website

Any Under Armour domain/property not listed above is out of scope for this engagement.



  • Developer API portal & documentation: developer.underarmour.com
  • Note that the API domains are typically used within the context of applications that use them. Going directly to the domain will not provide any usable content.

Blackout Periods:

Due to athlete & business needs, certain dates will be off-limits for active security testing. This list will be updated regularly, so please check before engaging in active testing.

Nov 09, 2018 to Nov 12, 2018
Nov 21, 2018 to Nov 27, 2018
Dec 22, 2018 to Jan 15, 2019

Access & Credentials:

Researchers must sign up for test accounts using bugcrowdninja.com e-mail address:
If additional accounts are necessary, self-signup using the pattern:

Focus Areas:

Our primary focus is our athletes and their data. As such,

  • Integrity & accuracy of user data
  • Availability of user data for each user and for those they have chosen to share with
  • Confidentiality of user data, and reflecting their privacy choices for that data. For example If a user sets a workout as public, all other users may see it. If they set to share with friends, non-friends should not see it. And if they mark as private, even their friends should not see it.

Out of Scope Testing:

The following types of security testing is strictly prohibited and out of scope:

  • Denial of Service (DoS) and Distributed Denial of Service (DDoS)
  • Attacking other users's accounts or devices
  • Collecting & retaining user data extracted from the platform
  • Attacking advertisers or digital advertising exchanges we partner with
  • Attacking Under Armour advertisements on any website
  • Distributing malware, ransomware, viruses, or worms on any UnderArmour or affiliated website
  • Targeting administrative portals
  • Infrastructure attacks on our cloud-based servers and the supporting providers

Note: If you encounter user data leaks, we want to know, and will absolutely reward those defects. But once reported, we expect researchers to securely delete any data obtained in the process of testing & reporting those defects.

Out of Scope Websites, Apps, & APIs

All UnderArmour websites not listed above as targets are out of scope. These include, but are not limited to, the following categories & examples:

  • Support, blogs, and community forums
  • Any mobile application not specifically listed as a target
  • E-commerce Platforms
    • International e-commerce & marketing websites i.e. www.underarmour.<country> that are not specifically listed as targets
    • Affiliates: www.underarmour.com/en-us/affiliate-home
  • Corporate websites
    • www.uabiz.com, investor.underarmour.com, productsafety.underarmour.com
    • uabusiness.force.com
    • www.underarmour.jobs, myfitnesspal.com/jobs or other affiliated career websites
  • Administrative portals for any Under Armour systems
  • Marketing, retail, and distributor platforms
    • blog.underarmour.com
    • www.uateamcatalogs.com www.uaretail.com uaallaccess.com and other UA retail/sales websites
    • Promotional platforms for sponsored teams, athletes, or partnerships
    • Social media accounts used by UnderArmour, sponsored athletes, teams, or partnerships
  • Plank Industries - any company or affiliate related to Plank Industries
    • www.plankindustries.com
  • Other
    • Any website registered to Under Armour, Plank Industries, or any affiliated subsidiary

The following finding types are specifically excluded from the bounty:

  • Insecure Direct Object References that accesses Publicly Available information about users.
  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
  • Lack of Security Speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled
  • HTTPS Mixed Content Scripts
  • Username / email enumeration
    • via Login Page error message
    • via Forgot Password error message
  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
    • Strict-Transport-Security
    • X-Frame-Options
    • X-XSS-Protection
    • X-Content-Type-Options
    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    • Content-Security-Policy-Report-Only
  • SSL Issues, e.g.
    • SSL Attacks such as BEAST, BREACH, Renegotiation attack
    • SSL Forward secrecy not enabled
    • SSL weak / insecure cipher suites

Out of Scope bugs for Android apps

  • Shared links leaked through the system clipboard.
  • Any URIs leaked because a malicious app has permission to view URIs opened
  • Absence of certificate pinning
  • Sensitive data in URLs/request bodies when protected by TLS
  • User data stored unencrypted on external storage
  • Lack of obfuscation is out of scope
  • OAuth "app secret" hard-coded/recoverable in apk
  • Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)
  • Any kind of sensitive data stored in app private directory
  • Lack of binary protection control in android app

Out of Scope bugs for iOS apps

  • Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries
  • Absence of certificate pinning
  • Path disclosure in the binary
  • User data stored unencrypted on the file system
  • Lack of obfuscation is out of scope
  • Lack of jailbreak detection is out of scope
  • OAuth "app secret" hard-coded/recoverable in apk
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits (exploits only possible in a jailbroken environment)


Rewards will be from kudos. Valued contributions may be rewarded individually by UA.

Program rules

This program follows Bugcrowd’s standard disclosure terms.