Details

TransUnion LLC looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Response Targets

TransUnion LLC will make a best effort to meet the following SLAs for hackers participating in our program:

Type of Response	SLA in business days
First Response	2 days
Time to Triage	2 days
Time to Resolution	depends on severity and complexity

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's disclosure guidelines.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
You may not be a current employee of TransUnion or its affiliates or subsidiaries, or an employee who has left TransUnion, or its affiliates or subsidiaries within the past 12 months.
You may not be an immediate family member of a person employed by TransUnion or its subsidiaries or affiliates
Do not use automated scanners. These tools could include payloads that trigger state changes or damage production systems or data.

Testing

There is a large amount of Web traffic to and from TransUnion LLC properties every day. When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world. Please do the following when participating in our VDP Program:

When submitting a report that is not explicitly defined in the program scope, please provide any relevant information that attributes the finding to TransUnion LLC.
Where possible, register accounts using your [email protected] addresses. (see https://docs.hackerone.com/hackers/hacker-email-alias.html )
Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.
Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily.
- Identifier: Your Username
- User Agent: X-TRU-VDP-
- Format: X-TRU-VDP: HackerOne-
- Example: X-TRU-VDP: HackerOne-powerful

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Any activity that could lead to the disruption of our service (DoS, DDoS).
Social engineering of our employees or contractors.
Attacks against our physical facilities.
Attacks requiring physical access to a user's device, unless the device is in-scope and explicitly hardened against physical access.
Attacks requiring disabling Man In The Middle (MITM) protections.
Missing best practices (SSL/TLS configuration, Content Security Policies, cookie flags, autocomplete attribute, email SPF/DKIM/DMARC records), unless a significant impact can be demonstrated.
Cross-Site Request Forgery (CSRF) or Clickjacking/Tabnabbing with no security impact (e.g., unauthenticated/logout/login CSRF).
Open redirects, unless a significant impact can be demonstrated.
Self-exploitation (self XSS, self denial-of-service, etc.), unless a method to attack a different user can be demonstrated.
Content spoofing, text injection and CSV injection, unless a significant impact can be demonstrated.
Software version disclosure / Banner identification issues / Descriptive error messages or stack traces.
Issues that require unlikely user interaction by the victim.
Testing that requires mass creation of accounts, rate limit testing, credential stuffing, etc.

Additional Notice

Please refer to the Privacy Notice for the applicable product or region being tested for more information on what personal information TransUnion and is companies collects about you and the rights you may have regarding your personal information. TransUnion privacy notices and policies, including for international regions, can be found at this link: https://www.transunion.com/privacy/transunion.

Thank you for helping keep TransUnion LLC and our users safe!

Response Targets

TransUnion LLC will make a best effort to meet the following SLAs for hackers participating in our program:

Type of Response	SLA in business days
First Response	2 days
Time to Triage	2 days
Time to Resolution	depends on severity and complexity

We’ll try to keep you informed about our progress throughout the process.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).

Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

You may not be a current employee of TransUnion or its affiliates or subsidiaries, or an employee who has left TransUnion, or its affiliates or subsidiaries within the past 12 months.

You may not be an immediate family member of a person employed by TransUnion or its subsidiaries or affiliates

Do not use automated scanners. These tools could include payloads that trigger state changes or damage production systems or data.

Testing

There is a large amount of Web traffic to and from TransUnion LLC properties every day. When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world. Please do the following when participating in our VDP Program:

When submitting a report that is not explicitly defined in the program scope, please provide any relevant information that attributes the finding to TransUnion LLC.

Where possible, register accounts using your [email protected] addresses. (see https://docs.hackerone.com/hackers/hacker-email-alias.html )

Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.

Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily.

Identifier: Your Username
User Agent: X-TRU-VDP-
Format: X-TRU-VDP: HackerOne-
Example: X-TRU-VDP: HackerOne-powerful

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Any activity that could lead to the disruption of our service (DoS, DDoS).

Social engineering of our employees or contractors.

Attacks against our physical facilities.

Attacks requiring physical access to a user's device, unless the device is in-scope and explicitly hardened against physical access.

Attacks requiring disabling Man In The Middle (MITM) protections.

Missing best practices (SSL/TLS configuration, Content Security Policies, cookie flags, autocomplete attribute, email SPF/DKIM/DMARC records), unless a significant impact can be demonstrated.

Cross-Site Request Forgery (CSRF) or Clickjacking/Tabnabbing with no security impact (e.g., unauthenticated/logout/login CSRF).

Open redirects, unless a significant impact can be demonstrated.

Self-exploitation (self XSS, self denial-of-service, etc.), unless a method to attack a different user can be demonstrated.

Content spoofing, text injection and CSV injection, unless a significant impact can be demonstrated.

Software version disclosure / Banner identification issues / Descriptive error messages or stack traces.

Issues that require unlikely user interaction by the victim.

Testing that requires mass creation of accounts, rate limit testing, credential stuffing, etc.

Additional Notice

Thank you for helping keep TransUnion LLC and our users safe!