Western Union is a financial services and communications company based in the United States.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Regarding scope: If you are unsure if something is related to Western Union, please let us know anyway! While you will not receive kudos points for items we don't expressly own and manage, you will not be penalized via negative kudos points.
Any western union web or device property that is out of scope for our Cash based Program here, will be taken into consideration in this program.
- Send Money / Track Transfer pages
- We are most interested in vulnerabilities on our core platform and infrastructure
- Ability to remotely gain access to other user's PCI Details (Credit card, CVV, etc)
- Ability to remotely gain access to other user's PII Details (First name, last name ,payment information, etc.)
- Remote Code Execution
- Significant Authentication Bypass
- Exfiltration of Sensitive Data or PII or PCI or MTCN
- Remote Unauthorized Access to full WU database
Out of Scope
- Do not perform DoS or DDoS attacks.
- Do not in any way attack our end users, or engage in the trade of stolen/breached user credentials.
- Do NOT conduct non-technical attacks such as social engineering, phishing or unauthorized access to Infrastructure.
- Do NOT use automated scanners and tools.
The following finding types are specifically excluded from the bounty:
- 3rd Party Clients (e.g. WordPress). If you are unsure whether or not a client is 3rd party, please check with us.
- Re-posting of vendor notices for platform updates
- Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- Self-XSS and issues exploitable only through Self-XSS.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Findings derived from SSL settings (e.g. BREACH attack, insecure SSL ciphers enabled).
- Lack of Secure and HTTPOnly cookie flags.
- Lack of Security Speedbump when leaving the site.
- Username Enumeration
- Visible Detailed Error/Debug Page - Detailed Server Configuration
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
- You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via firstname.lastname@example.org before going any further.