USAA appreciates and supports engagement with security community when potential security vulnerabilities in our digital assets are reported to us in accordance with Responsible Disclosure policy.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Reward RangeLast updated
|Technical severity||Reward range|
|p1 Critical||$1,500 - $3,000|
|p2 Severe||$900 - $1,800|
|p3 Moderate||$250 - $400|
|p4 Low||$100 - $100|
Any domain/property of USAA not listed in the targets section is out of scope. This includes any/all subdomains not specifically listed.
Please create your own accounts on our main site for testing. Identity is not immediately validated, but response values are checked to ensure they are in a valid range.
- Please follow Bugcrowd Standard Disclosure Terms
- Do not make any attempts to phish members or employees.
- Submit detailed reproduction steps. Reports based only on automated tool/scanner results or which describe theoretical attack vectors without proof of exploitability will not be accepted.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
- USAA employees, USAA contractors, or USAA suppliers or any persons related to or otherwise affiliated with USAA employees or contractors or suppliers may not submit to this program.
- Note : Excessive scan traffic may result in automated blocking
- Authentication mechanisms
- Privilege escalation (horizontal or vertical)
- SQL or command injection
- Cross-site scripting
- Remote Code Execution
- Cross-Site Request Forgery
- Information Disclosure
- Security Decisions via Untrusted Inputs
- Vulnerabilities in USAA partner sites, or 3rd party sites
- Spam or social engineering techniques.
- Physical attacks against USAA offices, data centers, and Financial Centers.
Out-of-Scope Vulnerabilities/Best Practices
- Denial-of-Service Vulnerabilities
- Brute Force Vulnerabilities
- Unvalidated Redirects
- Anything requiring old browsers/old plugins/end-of-life software browsers
- Vulnerabilities which require physical access to a user's device
- Non-sensitive information available via our Content Delivery Network or on USAA Member Community sites.