• $100 – $3,000 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

39 vulnerabilities rewarded

Validation within 12 days
75% of submissions are accepted or rejected within 12 days

$1,050 average payout (last 3 months)

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

USAA appreciates and supports engagement with security community when potential security vulnerabilities in our digital assets are reported to us in accordance with Responsible Disclosure policy.


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reward Range

Last updated
Technical severity Reward range
p1 Critical $1,500 - $3,000
p2 Severe $900 - $1,800
p3 Moderate $250 - $400
p4 Low $100 - $100
P5 submissions do not receive any rewards for this program.


In scope

Target name Type Website
USAA Mobile Application for Android Android
USAA Mobile Application for iOS iOS Other Website

Any domain/property of USAA not listed in the targets section is out of scope. This includes any/all subdomains not specifically listed.


iOS: Here
Android: Here


Please create your own accounts on our main site for testing. Identity is not immediately validated, but response values are checked to ensure they are in a valid range.


  • Please follow Bugcrowd Standard Disclosure Terms
  • Do not make any attempts to phish members or employees.
  • Submit detailed reproduction steps. Reports based only on automated tool/scanner results or which describe theoretical attack vectors without proof of exploitability will not be accepted.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
  • USAA employees, USAA contractors, or USAA suppliers or any persons related to or otherwise affiliated with USAA employees or contractors or suppliers may not submit to this program.
  • Note : Excessive scan traffic may result in automated blocking

Focus Areas:

  • Authentication mechanisms
  • Privilege escalation (horizontal or vertical)
  • SQL or command injection
  • Cross-site scripting
  • Remote Code Execution
  • Cross-Site Request Forgery
  • Information Disclosure
  • Security Decisions via Untrusted Inputs


  • Out-of-Scope Testing

    • Vulnerabilities in USAA partner sites, or 3rd party sites
    • Spam or social engineering techniques.
    • Physical attacks against USAA offices, data centers, and Financial Centers.
  • Out-of-Scope Vulnerabilities/Best Practices

    • Denial-of-Service Vulnerabilities
    • Brute Force Vulnerabilities
    • Unvalidated Redirects
    • Anything requiring old browsers/old plugins/end-of-life software browsers
    • Vulnerabilities which require physical access to a user's device
    • Non-sensitive information available via our Content Delivery Network or on USAA Member Community sites.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.