We work hard to keep You Need a Budget secure, and make every effort to keep on top of the latest threats by working with security researchers and companies. If you think we've made a security mistake or have a vulnerability, please tell us right away. If you're the first to alert us and it leads to us making a change, we'll pay you a reward.

Our Philosophy:

  1. We're on your side! We both want you to find bugs in our application before any bad guys do.
  2. Please be a hacker, but don't be a jerk. We'll get into more examples later, but that means: Hack your own accounts, not someone else's accounts. Don't perform DoS or DDoS attacks. Don't try to break into our physical offices or do anything illegal. Don't waste our time. This program is an invitation to test our systems. It's not an invitation to be a bad person.

What we hope you find:

(Actually, we hope you can't find any of this, but you know what we mean.)

The objective is to discover vulnerabilities in our web application and API.
Of particular interest are:

  • Bugs that Allow reading or writing of another user's data
  • XSS bugs
  • Bugs that Leak Sensitive information between sessions
  • Issues that affect Authentication or Session Management
  • Anything else classified P1-P3 really gets our attention!

How we classify submissions:

We classify all submissions based on Bugcrowds Vulnerability Taxonomy. P1s are scary, and we pay the maximum for those. On the other hand, P5s are considered "recommended practices", and we intentionally don't follow all recommendations. However, if you submit a P5 and we change our code as a result of your submission, it will be bumped to a P4, and paid out accordingly.
Note: Please don't pretend your issue is more severe than it is when describing it. It will lead to lost trust and higher frustration, but it never leads to higher payouts!

Targets

In scope

Targets:

One domain is in scope:
https://ynab-api-staging.herokuapp.com

That is both our Single Page Application, as well our API endpoint, and both are targets. You will see the API endpoint being used when you fire up the app in your browser. Note that our native mobile applications are not currently in scope, but the API endpoints and the way they use the API is in scope. In other words, if you find they are using an API endpoint that is insecure, or can be abused in some way, that is in scope.

Note that our production app, our www site, and ANY other domains/properties not listed above are not in scope. This will likely change in the future.

Rules:

Bugcrowd's standard disclosure terms always apply.

Here are some of our favorite rules:
1: Don't mess with accounts you don't control. You can create multiple testing accounts if you need to test information leakage between them.
2: Don't run automated scans without checking with us first. They're noisy and look a heck of a lot like a real attack.
3: Don't DoS or DDoS us.
4: Don't try to break into our offices or perform social engineering on our employees.
5: Don't mess with our customers

Out of scope:

The following issues won't be considered for a bounty:

  • Email spoofing - we have SPF (and DKIM) settings enabled where appropriate, but if we are experimenting with our DMARC settings, spoofing might be possible temporarily.
  • Being vulnerable to a DoS attack
  • In rare cases, a Denial of Service attacks will be considered: i.e. A malformed JSON packet that crashes our server and causes it to stop responding. Hammering our site and slowing it down is not in scope!
  • Self-xss (tricking someone to running scripts in their console).
  • Note that we do consider self-XSS to be in scope (P4) if your only methods of input are the UI. (Typing anything in the console is not in scope). So, if you type in a magic string for an account name and get it to pop up an alert box, we definitely care!
  • Bugs that cause the application to not function, but that are not security-related. For instance, modifying the data sent to our servers and causing your account to get into an unloadable state might be possible. We would only be interested if you could break someone else's budget or cause them to break their own budget unintentionally.
  • Bugs that don't affect the latest version of Chrome, Firefox, or Safari, IE10, and Edge
  • User enumeration through sign up, logon and forgot password functionality.
  • CSRF on non-authenticated pages or that cause logout. (That includes login forms)
  • TLS/SSL configuration issues are not in scope unless they are egregious. Lack of pinning or allowing theoretically insecure cipher-suites is not in scope. If you still want to examine our SSL configuration, please evaluate https://app.youneedabudget.com rather than our staging site, and we'll trust you to know if you found something truly serious.

Known issues

The following are known or are considered by design:

  • Not listing all login sessions on a user-examinable page
  • Sessions not expiring due to changing passwords or emails
  • Ability to spam someone with forgot password functionality
  • Using the application before the email has been confirmed
  • CSV Injection
  • Failure to invalidate a session after an arbitrary timeout
  • Plaintext password field
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of public key pinning
  • Username / email enumeration via login, registration, or forgot password page

Platform description:

Client:

  • Ember 1.13 Single-Page Application
  • Allowed browsers: Latest of Chrome, Safari, IE 10, IE Edge and Firefox

Server:

  • We run on Heroku
  • Rails 4.x,
  • Ruby 2.x,
  • Puma 2.x,
  • Postgres 9.4
  • Our CDN is MaxCDN
  • We use Recurly for billing

Getting Started (Credentials)

  1. Read these rules and sign up for a Bugcrowd account .
  2. When creating an account on our services, use your BugCrowd username@bugcrowdninja.com. If you need to sign up for another account, you can do so with username+2@bugcrowdninja.com, and so on. Please don't create more accounts than you truly need. We recommend 2 accounts per researcher. When those trials run out, you can create two more.
  3. Find a vulnerability…
  4. Profit.

Rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for Informational (P5) findings. Learn more about Bugcrowd's VRT.

This bounty requires explicit permission to disclose the results of a submission.
This program does not allow for pivoting via the use/exploitation of issues found during testing.