Credit karma android
- $200 – $5,000 per vulnerability
- Managed by Bugcrowd
37 vulnerabilities rewarded
Validation within 8 days
75% of submissions are accepted or rejected within 8 days
$200 average payout (last 3 months)
Latest hall of famers
Recently joined this program
Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.
Credit Karma is a personal finance technology company with more than 85 million members in the United States and Canada, including almost half of all millennials. The company offers a suite of products for members to monitor and improve credit health and provides identity monitoring and auto insurance estimates. Since 2007, we have been knocking down barriers that block the path to financial health, helping our members make informed choices and feel confident about their opportunities.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher – along with the opportunity to appeal, and make a case for a higher priority.
Please note that the following classes will be marked as (Won’t Fix):
- Please add the following User Agent during the course of your testing: UA-BugBounty
- Please follow Bugcrowd’s Terms & Conditions when testing. Failure to follow those policies will result in your account being banned.
- Please do not change your test email address as this would put you out of compliance with our program.
- Do not perform testing that involves Recurring and/or scheduled scans on our platform.
|$||API, iOS, Android||Web|
|Credit Karma Android Mobile Application||Android|
|Credit Karma iOS Mobile Application||iOS|
|Credit Karma Canada iOS App||iOS|
Out of scope
Testing is only authorized on the targets listed as In-Scope. Any domain/property of
Each researcher will be given one test account. Please do not change your test email address as this would put you out of compliance with our program. This will be verified during report submission. Please also follow the guide below to obtain credentials.
- Current Researchers can log in here: https://bugcrowd.com/user/sign_in.
- New researchers can sign up here: https://bugcrowd.com/user/sign_up.
- You will be provided unique credentials for both CreditKarma.com and CreditKarma.ca
- Please allow 24 business hours (PST) for your access to be granted.
- Authentication Protocol Vulnerabilities (For e.g. OAuth Implementation Flaws)
- Authentication Handoff from creditkarma.com to tax.creditkarma.com
- Tax Refund Destination Manipulation
- Do not set recurring scans. Doing so may result in you being blocked.
- We will not accept vulnerabilities for that are related to miscalculation. This includes miscalculated Tax Returns, etc.
- IRS or other external entities
- All of our partners (banks, credit card companies, loan companies, etc) are strictly out of scope. Please understand that testing our partners will put this bug bounty program in jeopardy. Due to this, we will, unfortunately, have to remove researchers from our program who violate this rule.
- Do not test the physical security of Credit Karma’s offices, employees, data centers, etc.
- Do not test using social engineering techniques (this includes phishing attacks against Credit Karma employees/contractors).
- Do not perform DoS or DDoS attacks.
- Do not in any way attack our end users, or engage in the trade of stolen user credentials.
- We will not accept issues that are a result of pivoting. The only proof of initial foothold is necessary.
- Support tickets (zendesk.creditkarma.com and help.creditkarma.com)
- Spam (including issues related to SPF/DKIM/DMARC)
- Reports About Weak Password Policy
- XMLRPC related brute-force/enumeration/DDoS Attacks
- Attacks requiring physical access to a user’s device
- User data stored unencrypted on the file system on rooted devices
This program follows Bugcrowd’s standard disclosure terms.