Under Armour AppSec

  • $125 – $2,500 per vulnerability
  • Partial safe harbor

Program stats

  • Vulnerabilities rewarded 516
  • Validation within 5 days 75% of submissions are accepted or rejected within 5 days
  • Average payout $410 within the last 3 months

Latest hall of famers

Recently joined this program

2022 total

Disclosure

Please note: This program or engagement does not allow disclosure. You may not release information about vulnerabilities found in this program or engagement to the public.

Our Mission:

TO MAKE ALL ATHLETES BETTER THROUGH PASSION, DESIGN AND THE RELENTLESS PURSUIT OF INNOVATION.

Our Brand is about energy and passion. It’s about an obsession with Fighting On Together to be stronger and more powerful - to Always Connect. We believe in Thinking Beyond to invent, innovate, and Create Fearlessly. We believe in staying connected To Athletes and know that adversity even in the digital world can bring us together. We know that the world expects great things from Under Armour and that daring to lead means thinking beyond. Our Brand Voice has always been simple and bold, as illustrated in our earliest commercial spot from 2003, rallying an entire generation of athletes to PROTECT THIS HOUSE.

Under Armour Mission & Values

We want to engage the security research community as partners & teammates to Stay True, protect our athletes, and protect their data. Doing so enables our Global Community of athletes to Celebrate their Goals within the largest digital health & fitness community in the world.

There are no odds too big. No goal too high. Will you PROTECT THIS HOUSE?

#WEWILL #WillFindsAWay

Under Armour VRT Amendments

Bug Type Original Priority Rating Under Armour Priority Rating
Injection File – Inclusion – Local P1 P3
Injection – XML External Entity Injection (XXE) P1 P2
Cross-Site Scripting (XSS) – Stored P2 P3
Security Misconfiguration Misconfigured – DNS - With POC (High Impact Subdomain Takeover) P2 P3
Security Misconfiguration Misconfigured – DNS - With POC (Basic Subdomain Takeover) P3 P4
Sensitive Misconfiguration – Weak Password Policy – Complexity, Both Length and Char Type Not Enforced P3 P5
Security Misconfiguration – Lack of Password Confirmation - Change Email Address P4 P5
Security Misconfiguration – Lack of Password Confirmation - Change Password P4 P5
Security Misconfiguration – Lack of Password Confirmation - Delete Account P4 P5
Security Misconfiguration – Unsafe File Upload – No Antivirus P4 P5
Security Misconfiguration – Unsafe File Upload – No Size Limit P4 P5
Security Misconfiguration – Weak Password Policy – Complexity, Length Not Enforced P4 P5
Security Misconfiguration – Weak Password Policy – Complexity, Char Type Not Enforced P4 P5
Security Misconfiguration – Weak Reset Password Policy – Token is Not Invalidated After Use P4 P5
Security Misconfiguration – Captcha Bypass – Implementation Vulnerability P4 P5
Sensitive Data Exposure – EXIF Geolocation Data Not Stripped From Uploaded Images – Automatic User Enumeration P3 P5
Sensitive Data Exposure – EXIF Geolocation Data Not Stripped From Uploaded Images – Manual User Enumeration P4 P5
Missing Function Level Access Control – Username Enumeration – Data Leak P4 P5
Sensitive Data Exposure – Private API Keys – No POC P1 P5
Application - Level Denial-of-Service (DoS) – Low Impact and/or Medium Difficulty – Password Length DoS (Server-Side) P4 P5
Broken Access Control (BAC) - Username/Email Enumeration - Non-Brute Force P4 P5
Sensitive Data Exposure - Visible Detailed Error/Debug Page - Detailed Server Configuration P4 P5

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.