Intuit is committed to ensuring the security of our services and customer information. As part of this commitment, we encourage security researchers to contact us to report any potential weaknesses identified in any product, system, or asset belonging to Intuit. This program isn’t intended to represent a monetary bug bounty program and we make no offers of monetary reward or compensation for submitting potential issues. We appreciate your commitment to improving Intuit services.
Program Policy
Security Researchers will disclose potential weaknesses in compliance with the following guidelines:
Do
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- Understand when duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Understand multiple vulnerabilities caused by one underlying issue should be combined into a single report.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- Provide a clear, concise description of the steps needed to reproduce any vulnerability you submit.
- Provide the complete details related to the security issue, including proof-of-concept (POC) URL, as well as the details of the system(s) where tests have been conducted.
Don't
- Don’t cause harm to Intuit, its customers, shareholders, partners or employees.
- Don’t engage in any act that may cause an outage or stop any of Intuit’s services.
- Don’t engage in illegal activities or any acts that violate any international laws or regulations, or federal or state laws or regulations.
- Don’t store, share, compromise or destroy any Intuit data or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify Intuit.
- Don’t conduct fraudulent activity or complete fraudulent financial transactions as part of your research.
Response Targets
Intuit will make a best effort to meet the following SLAs for hackers participating in our program:
| Type of Response | SLA in business days |
|---|
| First Response | 2 |
| Time to Triage | 2 |
| Time to Award | 10 |
| Time to Resolution | Aligned to impact and complexity |
We’ll try to keep you informed about our progress throughout the process.
Disclosure Policy
- Intuit does not allow disclosure at this time. Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
- Follow HackerOne's disclosure guidelines.
Test Plan
- When creating an account for testing, please use the following syntax for email: [email protected], or use your @wearehackerone.com alias.
- When researching for a vulnerability, only use accounts you own. Do not attempt to use another user's account.
To help accelerate our validation of reports, please tag your traffic and include identifiers in your reports. Some examples include:
| Header | Value |
|---|
| X-Bug-Bounty: | HackerOne-<username> |
| X-HackerOne: | <sha256 value> |
| User-Agent: | <product> / <product-version> <H1: username> |
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.
The following types of vulnerabilities are out of scope for this program:
- Phishing
- Social engineering
- Physical security assessments
- Any form of denial of service (DoS) attack
The following issues are considered out of scope:
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Rate limiting or bruteforce issues (we use various solutions to monitor and respond to anomalous traffic)
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
- Tabnabbing
- Open redirect - unless an additional security impact can be demonstrated
- Issues that require unlikely user interaction
- Sessions not invalidated or devices not unlinked after password change.
- Copy/pasting tool output (ex: WPScan results, SSL Labs links) as a report. A PoC and detailed description on how it can affect a user's data or Intuit data/infrastructure must be included.
- Pursuing vulnerabilities which send unsolicited bulk messages (spam) or unauthorized messages
- Arbitrary File Download
- Mobile Apps
- Local access to user data when operating a rooted mobile device.
- Attacks that require an already compromised system and a malicious actor with escalated privileges
- Attacks that require physical access to or modification of the hardware
- Class and method name leak as a result of disassembly
- Jailbreak detection bypass
- Caching of application screenshot
Please note:
- Any testing that has a negative impact on the availability of our products and services can result in being blocked or banned.
Submission Guidelines
All potential weaknesses submitted must include enough information to reproduce and validate the issue. Documentation should include a detailed summary of the issue, targets, steps performed, screenshots, tools utilized, and any information that will help Intuit during triage.
By following these guidelines and responsibly disclosing any security weaknesses directly to Intuit, we agree not to pursue legal action against you. Intuit reserves its legal rights in the event of noncompliance with program guidelines.
Privacy and Security Notice
Intuit is committed to leveraging technology in a way that provides you transparency on how we collect, process, and share personal information. In accordance with the terms of the Intuit Privacy Statement you understand and agree that, by providing us with an inquiry or a submission, we may collect certain information about you, your device, and your use of the Intuit Platform and sites.
