Details

Remitly looks forward to working with the security community to find security vulnerabilities in order to keep our customers and business safe.

Response Targets

Remitly will make a best effort to meet the following response targets for hackers participating in our program:

Time to first response (from report submit) - 2 business days
Time to triage (from report submit) - 2 business days
Time to bounty (from triage) - 10 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's disclosure guidelines.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing, clickjacking) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

#Out of scope vulnerabilities When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

Any physical attacks against Remitly property.
Social engineering (e.g. phishing, vishing, smishing, spear phishing, etc.).
Bugs that have no security impact
Clickjacking on pages with no sensitive actions.
Unauthenticated/logout/login CSRF.
Account closing without CSRF
Wordpress user enumeration
Attacks requiring Man-in-the-middle or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
Attacks involving payment fraud, theft, or malicious merchant accounts.
Self-XSS, which includes any payload entered by the victim.
Infrastructure vulnerabilities including:
Issues related to SSL Certificates
DNS Configuration issues
Server configuration issues (e.g. open ports, TLS versions, etc.)
Vulnerabilities that only affect users of outdated or unpatched browsers and/or platforms.
Any other submission determined to be low risk based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact.
Path traversal on api.remitly.io
IDOR without security impact
Self XSS via cookies
Password Policy

Ownership of Submissions

As a condition of participation in the Bug Bounty Program, you hereby grant Remitly, its subsidiaries, affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Remitly in connection therewith, for any purpose. You should not send us any Submission that you do not wish to license to us. You hereby represent and warrant that the Submission is original to you and you own all right, title and interest in and to the Submission. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the Submission to Remitly.

Changes to Program Terms

The Bug Bounty Program, including its policies, is subject to change or cancellation by Remitly at any time, without notice. As such, Remitly may amend these Program Terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the Bug Bounty Program after Remitly posts any such changes, you accept the Program Terms, as modified.

Thank you for helping keep Remitly and our customers safe!

Response Targets

Remitly will make a best effort to meet the following response targets for hackers participating in our program:

Time to first response (from report submit) - 2 business days

Time to triage (from report submit) - 2 business days

Time to bounty (from triage) - 10 business days

We’ll try to keep you informed about our progress throughout the process.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Social engineering (e.g. phishing, vishing, smishing, clickjacking) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

Any physical attacks against Remitly property.

Social engineering (e.g. phishing, vishing, smishing, spear phishing, etc.).

Bugs that have no security impact

Clickjacking on pages with no sensitive actions.

Unauthenticated/logout/login CSRF.

Account closing without CSRF

Wordpress user enumeration

Attacks requiring Man-in-the-middle or physical access to a user's device.

Previously known vulnerable libraries without a working Proof of Concept.

Comma Separated Values (CSV) injection without demonstrating a vulnerability.

Missing best practices in SSL/TLS configuration.

Any activity that could lead to the disruption of our service (DoS).

Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.

Attacks involving payment fraud, theft, or malicious merchant accounts.

Self-XSS, which includes any payload entered by the victim.

Infrastructure vulnerabilities including:

Issues related to SSL Certificates

DNS Configuration issues

Server configuration issues (e.g. open ports, TLS versions, etc.)

Vulnerabilities that only affect users of outdated or unpatched browsers and/or platforms.

Any other submission determined to be low risk based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact.

Path traversal on api.remitly.io

IDOR without security impact

Self XSS via cookies

Password Policy

Ownership of Submissions

Changes to Program Terms

Thank you for helping keep Remitly and our customers safe!