Blend Labs
External Program
Submit bugs directly to this organization
Blend Labs
Blend Labs looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.
Blend Labs will make a best effort to meet the following SLAs for hackers participating in our program:
| Type of Response | SLA in business days |
|---|---|
| First Response | 5 days |
| Time to Triage | 10 days |
| Time to Bounty | 14 days |
| Time to Resolution | depends on severity and complexity |
We’ll try to keep you informed about our progress throughout the process.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Blend's responsible disclosure and bug bounty program's focus is on protecting and maintaining the data and its integrity of lenders and borrowers who use our systems. Our Blend platform makes it easy for borrowers to apply for loan products from any desktop, tablet, or mobile device. While enabling our lenders to work in parallel and follow up instantly with additional requests and information.
Since the Blend platform must collect, manage, and protect sensitive user data, such as PII and imported bank account data, we strive to ensure that the platform is as secure as possible. As such, we value (and reward) the responsible disclosure of any vulnerabilities to us.
For the initial prioritization/rating of findings, this program will use the Hacker1 Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal and make a case for a higher priority.
Follow HackerOne's disclosure guidelines.
In-Scope Targets
https://knox.beta.blendlabs.com
Out of scope targets
Any *.blend.com or *.blendlabs.com subdomains.
Testing is only authorized on the targets listed as In-Scope. Any domain/property of Blend not listed in the targets section is out of scope. This includes any/all subdomains not listed above. The same applies to vulnerabilities found in any 3rd party services Blend integrates with and does not own.
If you believe you've identified a vulnerability on a system outside the scope, please reach out to Hacker1's support team before submitting it.
The Blend platform is composed of a ReactJS/Express.js front-end and Express.js microservices connected to various backend databases. The ReactJS/Express.js front-end contains both a lender view, which allows lenders to manage loans in the system, and a borrower view, which allows borrowers to complete a mortgage loan application. Lender accounts can only be created by an authorized Admin, but borrower accounts can either be created through self-registration or an invitation email.
All of the following issues especially if originating from a borrower account (e.g. privilege escalation to a lender from a borrower account, another borrower's sensitive user data from a borrower account, etc.) are of particular interest to us.
The relationship between a lender and a borrower is unique in that lenders are privy to a great deal of sensitive financial information relating to a borrower. Furthermore, lenders within a single organization may need access to the data of the borrowers under other lenders within the same organization. What might initially appear to be a security finding of inappropriate data disclosure may actually be intended functionality when it comes to a lender's access to borrower data.
Blend beta environments contain several development tools to aid in creating test loans for specific cases. Findings that involve development-specific features will also not be considered valid. For example, if a vulnerability is disclosed that makes use of our "Fast Forward" or "Dev tools" functionality to create test loans, the finding will not be considered valid unless the exploit can be carried out without the use of the development tools.
Scanning is not permitted since the Blend platform is hosted behind an AWS ELB (AWS policy).
The "Receives notifications about unassigned loans" role option will generate a lot of emails towards any user with that role assigned. If you are interested in testing the functionality of this option, enable the option for a non-Admin role (preferably a newly created role) and assign a user/email address to that role.
When conducting vulnerability research according to this policy, we consider this research to be:
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via [email protected] before going any further.
Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Blend Labs.
| Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |
|---|---|---|---|
| $7,500 | $3,000 | $750 | $250 |
[Instructions: When rewards section is completed, remove it from here and place it into product]
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Blend Labs and our users safe!