Details

Simple offers a bank account that has all the tools you need to manage your money built right in, including a Simple Visa® Card, our powerful iOS and Android apps, a beautifully designed web interface, and customer support that really cares.

Simple understands the devotion and effort that security work requires. As such, we encourage (and reward) the responsible disclosure of any vulnerabilities to us.

Target

*.simple.com (please read our focus areas/out of scope rules)

If available, please include the value of the X-Simple-Request-Id Response header in your submission to help us more quickly validate your findings.

Focus Areas:

Static marketing site https://www.simple.com
Main web application https://bank.simple.com
Mobile API gateway https://api.simple.com
Sign-up service https://www.simple.com/signup
Simple for iOS https://itunes.apple.com/us/app/simple-better-banking/id479317486
Simple for Android https://play.google.com/store/apps/details?id=com.banksimple

Out of Scope / Additional Information:

email.simple.com, cmail.simple.com (Third-party provider)
Do not use vulnerabilities to access, modify, harm, or otherwise alter any Simple (or its customers') data.
Do not exploit vulnerabilities except for purposes of demonstrating it to Simple personnel.
Please contact us through the Bugcrowd Crowdcontrol Platform if you are unsure of exploitability and we will work with you to verify it safely.

The following finding types are specifically excluded from the bounty:

Descriptive error messages (e.g. stack traces, application or server errors).
Login Page / Forgot Password Page account brute force or account lockout not enforced without demonstrating a successful login after a lockout attempt.
HTTP 404 codes/pages or other HTTP non-200 codes/pages.
Banner disclosure on common/public services.
BEAST attack.
Disclosure of known public files or directories, (e.g. robots.txt).
Clickjacking without an exploitable example (e.g. just reporting a missing X-FRAME-OPTIONS header)
Self-XSS and issues exploitable only through Self-XSS.
Cross-Site Request Forgery (CSRF) on forms that are available to anonymous users (e.g. the contact form).
Logout CSRF.
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.

Policy source: https://bugcrowd.com/simple

Out of Scope / Additional Information:

email.simple.com, cmail.simple.com (Third-party provider)

Do not use vulnerabilities to access, modify, harm, or otherwise alter any Simple (or its customers') data.

Do not exploit vulnerabilities except for purposes of demonstrating it to Simple personnel.

Please contact us through the Bugcrowd Crowdcontrol Platform if you are unsure of exploitability and we will work with you to verify it safely.

The following finding types are specifically excluded from the bounty:

Descriptive error messages (e.g. stack traces, application or server errors).

Login Page / Forgot Password Page account brute force or account lockout not enforced without demonstrating a successful login after a lockout attempt.

HTTP 404 codes/pages or other HTTP non-200 codes/pages.

Banner disclosure on common/public services.

BEAST attack.

Disclosure of known public files or directories, (e.g. robots.txt).

Clickjacking without an exploitable example (e.g. just reporting a missing X-FRAME-OPTIONS header)

Self-XSS and issues exploitable only through Self-XSS.

Cross-Site Request Forgery (CSRF) on forms that are available to anonymous users (e.g. the contact form).

Logout CSRF.

Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.