Curve is a UK based financial services company headquartered in London. The Curve platform allows you to simplify your finances, by centralising how you see, save, send, and spend it.

Curve looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe while banking with us.

For information around the on-boarding into the Curve Program, please see here: https://forms.gle/wQmYhGvfwN1hg2N79

Disclosure Policy

You should not discuss this program or any vulnerabilities (even resolved ones) outside of the program without expressed consent from Curve.

Follow HackerOne's disclosure guidelines.

If you are able to identify a security vulnerability (e.g., executing an attack and gaining access to our systems, accounts, or any other type of sensitive data), we ask that you do not leak data or damage the integrity of our systems and immediately report the issue privately to us via this program. Specifically, this means you agree to the below points:

• Do not publish the issue elsewhere;
• Provide us with details (code, endpoints, etc.) of the vulnerability so we can find, replay and fix it.
• Do not leak, copy, tamper, use or destroy any Curve data;
• Do not defraud Curve users or Curve itself (by making or enabling fraudulent transactions);
• Do not create a large number of user accounts or fake data records.

Setup

Welcome to the Curve Bug Bounty Program, great to have you onboard. There is some initial setup before you get started, we will try to make this as smooth as possible so you can get going.

Program Rules

• Do not perform resource intensive tests which could result in downtime for our services;
• Do not make financial transactions with compromised user accounts;
• Do not put any Curve or customer data at risk;
• It is prohibited to DoS and overload servers with many requests or any large request;
• It is prohibited to access and/or copy any form of sensitive or restricted data;
• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward;
• Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact;
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced);
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Social engineering attacks (e.g. phishing, vishing, smishing) are prohibited;
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

Response Targets

Curve will make a best effort to meet the following SLAs for hackers participating in our program:

• Time to first response (from report submit) - 2 business days;
• Time to triage (from report submit) - 2 business days;
• Time to bounty (from triage) - 5 business days. We aim to award bounties on triage but this isn't always possible.

We’ll try to keep you informed about our progress throughout the process.

Eligibility

Eligibility is limited to the in-scope domains and applications listed at the bottom of this page. Valid vulnerabilities on any domain not explicitly listed as in scope will be accepted but are ineligible for a cash reward (eligible for other rewards). Note that bugs in third party components only qualify if we determine that they can be used to successfully exploit Curve. Researchers must be the first to identify and report a previously unknown vulnerability to be eligible for an award.

Vulnerability reports must be submitted to Curve via HackerOne.

Vulnerabilities found in third party apps integrating with the Curve API should be reported to the responsible developer. You should only report vulnerabilities found in third party apps to Curve under this program if you do not receive a satisfactory response from the responsible developer. Vulnerabilities in third party apps are not eligible for cash rewards, but we do appreciate being made aware of them.

Out of Scope Vulnerabilities

The following types of vulnerabilities are not eligible under this program:

• Physical attacks against Curve employees, offices, or data centres;
• Social engineering of Curve employees or users (e.g. phishing);
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder;
• Denial of Service;
• API key leaks with no security consequences (e.g. Google Maps API key leak);
• Vulnerabilities in third party integrations with the Curve API;
• Vulnerabilities that are strictly client side;
• Vulnerabilities that require physical access, rooted / jailbroken devices, or debug access to a user’s device;
• Issues in our blog and social media accounts (Facebook, Twitter, etc.);
• Issues in our support platform (support.imaginecurve.com);
• Logout CSRF;
• User existence / user enumeration;
• Text-only injection in error pages;
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty;
• Unconfirmed reports from automated vulnerability scanners;
• Server and software versions in HTTP response headers;
• Lack of password complexity restrictions;
• Rate limiting or brute force issues

If you have any questions about the rules and scope of the bounty program, you can email us at [email protected].

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. You agree to provide your contact information to Curve or for HackerOne to exchange such information with us, should we ask for it.

Thank you for helping keep Curve and our users safe!