Wealthsimple
External Program
Submit bugs directly to this organization
Wealthsimple
External Program
Submit bugs directly to this organization
Wealthsimple looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. Please read through and abide by the following program rules and scope exclusions.
Wealthsimple will make a best effort to meet the following SLOs for hackers participating in our program:
We’ll try to keep you informed about our progress throughout the process as soon as we have updates to share, there is no need to ask us for updates.
Wealthsimple team may change the defined SLAs over time as needs and requirements change.
Do not discuss or publicly share information related to vulnerabilities identified in Wealthsimple's Bug Bounty program, no matter what status they are in without consent from Wealthsimple.
We encourage everyone to submit their findings. However, current Wealthsimple employees and contractors, their immediate family members, as well as former employees or contractors and their immediate family members, are not eligible for bounty rewards for a period of one year after the employee’s departure.
Due to our status as a financial technology company, any user of Wealthsimple must pass Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements before engaging in any financial transaction. These legal requirements restrict the use of the Wealthsimple application and platform to Canadian citizens with a valid form of identification. Non-Canadian researchers may test in-scope assets but may be restricted in the actions and features they have access to. We are working on ways to provide better access to non-Canadian researchers in the future. Providing false or invalid identification is highly discouraged, doing so may result in a permanent, application-wide ban.
You may test only with Wealthsimple account(s) for which you are the account owner.
You must create an account with your HackerOne email alias (e.g. hackerman @ wearehackerone.com) to be eligible for bounty.
If you’d like to create additional test accounts, add a plus (“+”) sign and any combination of words or numbers after your username. For example: [email protected]. This enables you to test different attack vectors / account levels without targeting other users or creating multiple HackerOne profiles.
Please add a custom HTTP header in all proxied requests (eg. Burp Suite or Zap) and requests generated from scripts or command line tools. The header should look like the following:
X-BUG-BOUNTY: HackerOne-<YOUR HACKERONE USERNAME>
When submitting reports, please include the email address used for the account and the IP addresses used for testing. This information is kept strictly confidential and used only for log analysis and application alert investigation.
Recent acquisitions by Wealthsimple not explicitly defined in the HackerOne scope are out of the program's scope for a minimum period of 3 months after the acquisition is announced. If you have a security vulnerability in a product recently acquired by Wealthsimple, please send your report to the Wealthsimple Security Team at [email protected].
| Severity | Bounty |
|---|---|
| Critical | 20,000 |
| High | 5,000 |
| Medium | 1,000 |
| Low | 500 |
The above bounties are paid based on the rating guide below that has been modified to reflect the impact to Wealthsimple services.
| Metric Value | Description |
|---|---|
| Physical (P) | The attack requires the attacker to physically touch or manipulate the vulnerable component. |
| Local (L) | The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. The attacker must have terminal access (or the equivalent) either via keyboard or SSH to the vulnerable system. The attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (for example, using social engineering to trick a legitimate user into opening a malicious document). |
| Adjacent (A) | The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology. The attack must be launched from the same shared physical (for example, Bluetooth or Wi-Fi) or logical (for example, local IP subnet) network. The attack must be launched from within a secure or otherwise limited administrative domain (for example, using VPN access). |
| Network (N) | The attack can be performed from across the internet without any of the requirements of the other vectors. |
| Metric Value | Description |
|---|---|
| Low (L) | Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component. |
| High (H) | A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. The attacker must prepare the target environment to improve exploit reliability. For example, repeated exploitation to win a race condition, or overcoming advanced exploit mitigation techniques. |
| Metric Value | Description |
|---|---|
| None (N) | The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack. Hard-coded credential vulnerabilities or vulnerabilities requiring social engineering (for example, reflected cross-site scripting, cross-site request forgery, or file parsing vulnerability in a PDF reader). No Wealthsimple account; or, a Wealthsimple account that is not KYC cleared. |
| Low (L) | The attacker requires privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources. A Wealthsimple account that is KYC cleared. |
| High (H) | The attacker requires privileges that provide significant (for example, administrative) control over the vulnerable component allowing access to component-wide settings and files. A Wealthsimple employee or administrator account. |
| Metric Value | Description |
|---|---|
| None (N) | The vulnerable system can be exploited without interaction from any user. |
| Required (R) | Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a vulnerability requires a user to successfully login before the vulnerability can be exploited. |
| Metric Value | Description |
|---|---|
| Unchanged (U) | An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority. *.wealthsimple.com is a single security scope. |
| Changed (C) | An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. |
| Metric Value | Description |
|---|---|
| None (N) | No or negligible exposure of information. Vulnerability results in a small number of clients affected with minor potential or actual harm. |
| Low (L) | Small to large number of clients are affected AND the information exposed is not confidential or restricted. Potential or actual harm is moderate. |
| High (H) | Large number of clients affected AND information exposed is confidential or restricted. Potential or actual harm to clients is serious. |
| Metric Value | Description |
|---|---|
| None (N) | No or negligible modification of information. Vulnerability results in a small number of clients affected with minor potential or actual harm. |
| Low (L) | Small to large number of clients are affected AND the information modified is not confidential or restricted. Potential or actual harm is moderate. |
| High (H) | Large number of clients are affected AND the information modified is confidential or restricted. Potential or actual harm to clients is serious. |
| Metric Value | Description |
|---|---|
| None (N) | There is no impact to availability within the impacted component. Public websites are functional. New account sign-up or login requests are functional. Core functionality is functional. |
| Low (L) | Performance is reduced or there are interruptions in resource availability. Parts of the public websites are broken (pages, images). Stale data is being served. Fewer than 5% of new account sign-up or login requests are failing. Occasional inconveniences but still functional; or, core functionality is failing/broken for < 5% of all clients. |
| High (H) | A total loss of availability or loss of availability presents a direct, serious consequence to the impacted component. Public websites are down or broken. 5% or more of new account sign-up or login requests are failing. Core functionality is failing/broken for > 5% of all clients. |
You may use our pre-generated Burpsuite configuration file, which will configure your Burp proxy with our in-scope domains, found here: {F1347430}
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
A: We implement a web application firewall on most of our in-scope domains which uses a variety of methods to detect and block potentially malicious requests or unwanted bot traffic. To prevent your proxied requests from being blocked, try these configuration adjustments:
User-Agent header using a known good User-Agent header.Thank you for helping keep Wealthsimple and our users safe!