Oportun

Responsible Disclosure Policy:

If you believe you have discovered a potential security vulnerability in Oportun’s application, system, or asset, please report it through Oportun’s HackerOne Disclosure page or below embedded HackerOne’s Disclosure submission form. We will investigate your report and respond to you as soon as possible. Our team of dedicated security professionals work vigilantly to help keep customer information secure. We recognize and appreciate the important role that security researchers and our user community play in helping to keep Oportun and our consumers and customers secure.

Please note, Oportun does not operate a public bug bounty program and we make no offer of reward or compensation in exchange for submitting potential issues through this disclosure program.

Guidelines for Responsible Disclosure

Researchers shall disclose potential vulnerabilities in accordance with the following guidelines:

• Provide full details of the security vulnerability along with screenshots, target, steps followed, tools used, http requests and responses, and any other artifacts that would help us in validating the vulnerability.
• Share the security issue with us before making it public on message boards, mailing lists, and other forums.
• Allow us reasonable time to review, respond and address the issue before disclosing it publicly with Oportun’s prior written approval. By keeping your reports private until we resolve them, you are helping keep Oportun secure for our entire community.
• Do not engage in any activity that can potentially or actually cause harm to Oportun, our consumers or customers, or our employees.
• Do not engage in any activity that can potentially or actually stop or degrade Oportun’s applications, services, systems or assets.
• Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where
  • (i) data, assets or systems reside
  • (ii) data traffic is routed or
  • (iii) the researcher is conducting research activity.
• Do not store, share, compromise or destroy Oportun or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Oportun. This step protects any potentially vulnerable data, and you. PII will include, but not be limited to, consumer’s name, address, social security number or other identifying number or code, telephone number, email address, information obtained through Internet collection devices (i.e., cookies), financial information, credit history, application, loan or claim information, names or lists of individuals derived from nonpublic personally identifiable information or otherwise derived from Oportun, and the identification of an individual as a customer or as an individual claimant under a financial product or service provided by Oportun.
• Do not request direct compensation for the reporting of security issues either to Oportun, or through any external marketplace for vulnerabilities, whether black-market or otherwise.
• Do not initiate a fraudulent financial transaction.
• Do not engage in any fraudulent activity that may affect our customers data or Oportun’s assets.
• Follow HackerOne's disclosure guidelines

Out of Scope Vulnerabilities:

Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program. Out-of-scope vulnerabilities include:

• Physical Testing
• Social Engineering. For example, attempts to steal cookies, fake login pages to collect credentials, or steal employee or customer data to conduct any activity.
• Phishing
• Spamming
• Denial of service attacks
• Resource Exhaustion attacks
• Brute-force attacks