YNAB

  • $150 – $3,000 per vulnerability
  • Safe harbor

Program stats

  • Vulnerabilities rewarded 142
  • Validation within 9 days 75% of submissions are accepted or rejected within 9 days

Latest hall of famers

Recently joined this program

We work hard to keep YNAB secure, and make every effort to keep on top of the latest threats by working with security researchers and companies. If you think we've made a security mistake or have a vulnerability, please tell us right away. If you're the first to alert us and it leads to us making a change, we'll pay you a reward.

Our Philosophy:

  1. We're on your side! We both want you to find bugs in our application before any bad guys do.
  2. Please be a hacker, but don't be a jerk. We'll get into more examples later, but that means: Hack your own accounts, not someone else's accounts. Don't perform DoS or DDoS attacks. Don't try to break into our physical offices or do anything illegal. Don't waste our time. This program is an invitation to test our systems. It's not an invitation to be a bad person.

What we hope you find:

(Actually, we hope you can't find any of this, but you know what we mean.)

The objective is to discover vulnerabilities in our web application and API.
Of particular interest are:

  • Bugs that Allow reading or writing of another user's data
  • XSS bugs
  • Bugs that Leak Sensitive information between sessions
  • Issues that affect Authentication or Session Management
  • Anything else classified P1-P3 really gets our attention!

How we classify submissions:

We classify all submissions based on Bugcrowds Vulnerability Taxonomy. P1s are scary, and we pay the maximum for those. On the other hand, P5s are considered "recommended practices", and we intentionally don't follow all recommendations. However, if you submit a P5 and we change our code as a result of your submission, it will be bumped to a P4, and paid out accordingly.
Note: Please don't pretend your issue is more severe than it is when describing it. It will lead to lost trust and higher frustration, but it never leads to higher payouts!

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.
This program does not allow for pivoting via the use/exploitation of issues found during testing.