Western Union Kudos

  • Points per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Program stats

54 vulnerabilities rewarded

Validation within 6 days
75% of submissions are accepted or rejected within 6 days

Latest hall of famers

Recently joined this program

401 total


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Western Union is a financial services and communications company based in the United States.

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

This program only awards points for VRT based submissions.


In scope

Target name Type
*.westernunion.* Website Testing
Any host or verified to be owned by Western Union (domains/IP space/etc.) Other

Regarding scope: If you are unsure if something is related to Western Union, please let us know anyway! While you will not receive kudos points for items we don't expressly own and manage, you will not be penalized via negative kudos points.

Target Information:

Any western union web or device property that is out of scope for our Cash based Program here, will be taken into consideration in this program.

Focus Areas:

  • Send Money / Track Transfer pages
  • We are most interested in vulnerabilities on our core platform and infrastructure
  • Ability to remotely gain access to other user's PCI Details (Credit card, CVV, etc)
  • Ability to remotely gain access to other user's PII Details (First name, last name ,payment information, etc.)
  • Remote Code Execution
  • Significant Authentication Bypass
  • Exfiltration of Sensitive Data or PII or PCI or MTCN
  • Remote Unauthorized Access to full WU database

Out of Scope

  • Do not perform DoS or DDoS attacks.
  • Do not in any way attack our end users, or engage in the trade of stolen/breached user credentials.
  • Do NOT conduct non-technical attacks such as social engineering, phishing or unauthorized access to Infrastructure.
  • Do NOT use automated scanners and tools.

The following finding types are specifically excluded from the bounty:

  • 3rd Party Clients (e.g. WordPress). If you are unsure whether or not a client is 3rd party, please check with us.
  • Re-posting of vendor notices for platform updates
  • Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • Self-XSS and issues exploitable only through Self-XSS.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Findings derived from SSL settings (e.g. BREACH attack, insecure SSL ciphers enabled).
  • Lack of Secure and HTTPOnly cookie flags.
  • Lack of Security Speedbump when leaving the site.
  • Username Enumeration
  • Visible Detailed Error/Debug Page - Detailed Server Configuration

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.