Introduction

Welcome to SoFi’s Bug Bounty Program! Our commitment to security means we value the independent security research community's contribution. SoFi’s bug bounty program is private and invite-only and requires SoFi’s Security Team to review your request before inviting you to the program and accepting your reports.

This page outlines our bug bounty program, including scope, and how to report vulnerabilities responsibly.

Program Scope

Our bug bounty program covers the following domains:

• com.sofi.mobile (Android and iOS)
• sofiwealth.com/*
• sofi.com/*

Scope exclusions

Other than the domains above, other targets are explicitly out of scope. Submissions regarding these domains will be accepted but do not qualify for financial rewards. Additionally, below subdomains are deemed out of scope as well.

• forum.sofi.com
• mail.sofi.com
• email.sofi.com

Out of Scope Vulnerabilities

To maintain focus and efficiency, certain types of vulnerabilities are considered out of scope. To qualify for the financial rewards, you need to demonstrate a substantial impact on the SoFi customers or systems. The following are examples of vulnerabilities that do not qualify for a monetary reward.

• Username/email enumeration
• Scanner output or scanner-generated reports, including any automated or active exploit tool
• Vulnerabilities involving stolen credentials or physical access to a device * Social engineering attacks, including those targeting or impersonating internal employees by any means.
• Vulnerabilities found through DDoS or spam attacks.
• Self-XSS, which includes any payload entered by the victim
• Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls
• Login/logout CSRF
• Content spoofing without embedding an external link or JavaScript * Missing cookie flags on non-security sensitive cookies
• Password and account recovery policies, such as reset link expiration or password complexity
• Bruteforce attempts
• Vulnerabilities that require a jailbroken mobile device
• Missing cookies and flags
• Issues related to software or protocols not under SoFi control
• Any physical attacks against SoFi property and employees
• Infrastructure vulnerabilities, including:
• Issues related to SSL certificates
• DNS configuration issues
• Server configuration issues (e.g. open ports, TLS versions, etc.) * Vulnerabilities only affecting users of outdated, unpatched, or unsupported browsers and platforms, including any version of Internet Explorer * Exposed credentials that are either no longer valid, or do not pose a risk to an in-scope asset
• Vulnerabilities on third-party libraries without showing a specific impact on the target application (e.g. a CVE with no exploit)
• Lack of SSL or Mixed content
• Certificate Pinning

Reporting

Contact us at [email protected] and we will provide you with access to a dedicated portal where you can submit your findings and officially participate in our bug bounty program. This portal will also be your gateway to receiving rewards and exclusive merchandise.

Responsible Disclosure Policy

1. SoFi does not promote, encourage, or engage in independent security testing of its products and services without authorization. The use of our products, services, and externally facing websites and applications must adhere strictly to our Terms of Service and comply with all relevant laws and regulations.

2. Should you come across information that you believe points to a potential security issue within SoFi product or service, we encourage you to share this information with us. Such contributions are invaluable in aiding our efforts to enhance security measures or address vulnerabilities. Upon receipt through secure channels, we will thoroughly investigate the matter and take the necessary steps based on our findings.

3. Please understand that the process of verifying and remedying reported vulnerabilities requires time and depends heavily on the detail and accuracy of the information provided. While it may not be feasible for SoFi to respond individually to every report, rest assured that we diligently investigate each submission and will take corrective action as warranted.

4. SoFi prioritizes confidentiality in these matters. We commit to maintaining the confidentiality of all information related to vulnerability disclosures.

5. To ensure the privacy and security of our customers, we urge you not to disclose or disseminate details about a potential and unconfirmed vulnerability publicly, as you may not be eligible for a bounty.

Your cooperation and understanding in these matters are greatly appreciated as we work together to safeguard the integrity and security of SoFi’s services and products.

For questions regarding this program, please contact [email protected].

Thank you for helping us keep SoFi and our users safe!