Western Union

  • Points – $5,000 per vulnerability
  • Managed by Bugcrowd

Program stats

280 vulnerabilities rewarded

Validation within 20 days
75% of submissions are accepted or rejected within 20 days

$105.55 average payout (last 3 months)

Latest hall of famers

Recently joined this program

1005 total


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Western Union is a financial services and communications company based in the United States.

In general, Western Union adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization of findings, but they do reserve the right to alter priority on a case-by-case basis. Any submission where the priority is altered will be accompanied by an explanation from the Western Union team.


In scope

Target name Type
www.speedpay.com Website
payments.westernunion.com Website
https://www.westernunion.com Other
https://www2.westernunion.com Other
https://www.westernunion.fr Other
https://www.westernunion.de Other
https://www.westernunion.no Other
https://www.westernunion.se Other
https://www.westernunion.ca Other
https://www.westernunion.nl Other
https://www.westernunion.es Other
https://www.westernunion.ie Other
https://www.westernunion.ch Other
https://www.westernunion.pt Other
https://www.westernunion.be Other
https://www.westernunion.dk Other
https://www.westernunion.fi Other
https://www.westernunion.pl Other
https://www.westernunion.ee Other
https://www.westernunion.lu Other
https://www.westernunion.gr Other
https://www.westernunion.at Other
https://www.westernunion.it Other
https://www.westernunion.co.nz Other
https://www.westernunion.co.uk Other
https://www.westernunion.com.au Other
https://cuba.westernunion.com Other
https://egypt.westernunion.com Other
https://hk.westernunion.com Other
https://india.westernunion.com Other
https://jamaica.westernunion.com Other
https://locations.westernunion.com Other
https://m.westernunion.com Other
https://senegal.westernunion.com Other
https://sg.westernunion.com Other
https://wuagentportal.westernunion.com Website
https://agentportal.westernunion.com Website
https://paynow7.speedpay.com/ Website
https://paynow40.speedpay.com Website
https://westernunionbank.com Website
https://ebanking.westernunionbank.com Website
https://auth.globalpay.westernunion.com Website
http://globalpay.westernunion.com Website
payee.globalpay.westernunion.com Website
https://gpfi.globalpay.westernunion.com Website
transvision.westernunion.com Website
partnernet.westernunion.com Website
www.wuprepaid.de Website
iwgo.westernunion.com Website

Out of scope

Target name Type
https://www.inmateservices.westernunion.com Other
Any asset not listed above as 'In Scope' Website

Additional Information:

  • These sites are variations on a core web application handling all requests.
  • Security issues reproduced in one domain will be reproducible in other domains, making them a single core issue and only worth a single reward.


10/5/18 - JSON, JS and CSS will not be rewarded or marked as out of scope. Reflected XSS will be marked as p4 and stored XSS as P3.

5/24/18 - both www.speedpay.com payments.westernunion.com are now in-scope targets for the program.

7/10/18 - wuagentportal.westernunion.com, agentportal.westernunion.com, and paynow7.speedpay.com are now in-scope targets for the program.

The following finding types are specifically excluded from the bounty:

  • 3rd Party Clients (e.g. WordPress). If you are unsure whether or not a client is 3rd party, please check with us.
  • Re-posting of vendor notices for platform updates
  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • Self-XSS and issues exploitable only through Self-XSS.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Findings derived from SSL settings (e.g. BREACH attack, insecure SSL ciphers enabled).
  • Lack of Secure and HTTPOnly cookie flags.
  • Lack of Security Speedbump when leaving the site.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.