Introduction
Affirm looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.
Response Times
Affirm will make a best effort to meet our response targets for hackers participating in our program. And we’ll try to keep you informed about our progress throughout the process.
Disclosure Policy
Program Rules
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Do not perform testing on Affirm employee accounts and internal tools.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
- Only interact with accounts you own or with explicit permission of the account holder.
Program Scope
Please note: Returnly has been descoped from the bug bounty program effective 4/12/2023.
- Web application at https://sandbox.affirm.com/
- iOS application at Crashlytics: com.affirm.internal.hackerone
- Android application at Google Play Store: com.affirm.central.audit
Out of Scope Vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
- Brute force exploits.
- Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a
X-Frame-Options header set.
- Missing security cookie attributes (
secure, httponly, and samesite).
- Unauthenticated/logout/login CSRF.
- Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Absence of rate limiting.
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
- Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.
- User enumeration of any kind (email ownership and timing attack).
- Improper error handling unless proved in production environment.
- Sender Policy Framework(SPF) or DomainKeys Identified Mail(DKIM) related findings.
- Open redirection at
/redirect endpoint with redirect parameter and at /apps/affiliate/v1/generate-url endpoint with merchant_fallback_url parameter.
- (mobile) Lack of certificate pinning. The test apps are specifically built for testing environment, therefore there's no certificate pinning.
- Missing client side check on virtual card loan amount (must be greater than $100 and less than $10000).
- (mobile) Local access to user data when operating a rooted mobile device.
- (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.
Affirm Testing Environment
iOS
The Affirm testing iOS app built for HackerOne is distributed through Crashlytics.
- Download the testing iOS application by going to https://appdistribution.firebase.dev/i/07fb2924d6938db2.
- Use your iOS device to visit that link and initiate the download process. Please note, the testing app is distributed though Firebase, and you have to install Firebase and Affirm profiles on your testing iOS device.
Android
The Affirm Android testing app built for HackerOne is distributed through Google Play Store.
- Download the testing Android application by joining the affirmhackerone(https://groups.google.com/forum/#!forum/affirmhackerone) Google Group.
- This Group is open to the public and once you join you can go to https://play.google.com/apps/testing/com.affirm.central.audit to initiate the downloading process. (The app is only available in the US region in Google Play. If the account you are using is not in the US region, we recommend you to register a new account for this testing, since Google only allows switching the region of the account once per year.)
To register an Affirm test user
- Go to https://sandbox.affirm.com/, under “Sign Up”, enter the following information
- First Name (any value, letter only )
- Last Name (any value, letter only)
- Email address (any value, email format required)
- Phone number (any value, but please REMEMBER it for login)
- Date of birth (older than 18 please)
- Last 4-digits of SSN (any value between 9500 and 9850, and the last 3 digits of the number sets the FICO credit score of the testing account)
- Click “Create Account” to finish
To leverage an Affirm test user
- Hit "login" in the web or mobile application.
- Enter the phone number you registered (the test site will NOT send SMS, instead you use a hardcoded pin code shown below)
- In the next step, use “123456” as the verification code, click “Verify”.
To use testing payments
If you don't have a valid testing payment, you can use the following test payments.
Testing credit card numbers
| Issuer | Number |
|---|
| Visa | 4242 4242 4242 4242 |
| Master Card | 5555 5555 5555 4444 |
| American Express | 3782 822463 10005 |
Testing ACH
| Routing Number | Account Number |
|---|
| 112200439 | 12345678 |
Thank you for helping keep Affirm and our users safe!
