Western Union is a financial services and communications company based in the United States.
This program is managed by the Bugcrowd team.
- These sites are variations on a core web application handling all requests.
- Security issues reproduced in one domain will be reproducible in other domains, making them a single core issue and only worth a single reward.
The following finding types are specifically excluded from the bounty:
- 3rd Party Clients (e.g. WordPress). If you are unsure whether or not a client is 3rd party, please check with us.
- Re-posting of vendor notices for platform updates
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- Self-XSS and issues exploitable only through Self-XSS.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Findings derived from SSL settings (e.g. BREACH attack, insecure SSL ciphers enabled).
- Lack of Secure and HTTPOnly cookie flags.
- Lack of Security Speedbump when leaving the site.
This bounty follows Bugcrowd’s standard disclosure terms.