Wells Fargo Bounty
Bounty Range
$100 - $4,000
external program
Program guidelines
Top Response EfficiencyThis program's response efficiency is above 90%. [https://docs.hackerone.com/en/articles/8490880-response-target-indicators](
)
Managed by HackerOneCollaboration EnabledIncludes Retesting
13 hours Average time to first response
5 days Average time to triage
2 weeks, 4 days Average time to bounty
3 weeks, 2 days Average time from submission to bounty
1 month, 2 weeks Average time to resolution
Last updated on June 18, 2025. [/wellsfargo-bbp/bounty_table_versions](View changes
)
Each severity lists the 90-day average bounty and the percentage of total resolved reports, if applicable.
Low (0.1-3.9)Avg. bounty n/a9.84% submissions
Medium (4.0-6.9)Avg. bounty $97266.67% submissions
High (7.0-8.9)Avg. bounty $30014.21% submissions
Critical (9.0-10.0)Avg. bounty n/a9.29% submissions
Low (0.1-3.9)Avg. bounty n/a9.84% submissions
Medium (4.0-6.9)Avg. bounty $97266.67% submissions
High (7.0-8.9)Avg. bounty $30014.21% submissions
Critical (9.0-10.0)Avg. bounty n/a9.29% submissions
*.wellsfargo.com
$100–$300
$300–$2,000
$2,000–$4,000
$4,000–$7,500
connect.secure.wellsfargo.com
$150–$600
$600–$4,000
$4,000–$7,500
$7,500–$15,000
Please note these are general guidelines, and reward decisions are up to the discretion of Wells Fargo Bounty.
You will be eligible for a bounty only if you are the first person to disclose an unknown issue. Qualifying bugs will be rewarded based on severity, to be determined by Wells Fargo in its sole discretion. Rewards may range from HackerOne Reputation Points to monetary rewards up to the amount listed in the following table. Awards are granted entirely at the discretion of Wells Fargo. At Wells Fargo's discretion, providing more complete research, proof-of-concept code, detailed write-ups, and following testing guidelines may increase the bounty awarded.
Conversely, Wells Fargo may pay less for vulnerabilities that require complex or over-complicated interactions or for which the impact or security risk is negligible. Rewards may be denied if there is evidence of program policy violations. A reduction in bounty is also warranted for reports that require specific browser configurations. Reports in third-party software are not eligible for bounties.
Where a monetary bounty is presented, eligible reports will be awarded based on severity after identifying final impact, as determined by Wells Fargo.
Other Wells Fargo online properties such as *.wf.com, *.wellsfargoadvisors.com, *.mworld.com, and *.advisor-connection.com are not eligible for a financial reward at this time, but may still be in-scope for Reputation points.
Core Ineligible Findings are out of scope. [https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings](Learn more
)Category Exclusion details
See Below in Full Policy A list of scope exclusions is included in the full policy text below.
This program has not committed to the following Platform Standards. As such the report severity or outcome may differ.
Multiple reports on systemic vulnerabilities
Third-party components: for programs consuming the component Check https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards#h_e01bc643a8 for the full Platform Standards page list.
Last updated on March 7, 2025. [/wellsfargo-bbp/policy_versions](View changes
)
Wells Fargo welcomes security researchers to participate in our bug bounty program to help us identify and fix vulnerabilities in our systems. By working together, we can improve everyone's security of our products and services.
Note: This is a Bug Bounty Program, which addresses technical vulnerabilities that could be exploited. This team is unable to assist with customer service issues, account issues, or fraud claims. If you need Wells Fargo customer support, please visit [https://www.wellsfargo.com/help/](Customer Service). If you are reporting fraud or phishing, please visit our [https://www.wellsfargo.com/privacy-security/fraud/report/](Fraud Center).
Wells Fargo Bounty will make a best effort to meet the following SLAs for hackers participating in our program:
Type of Response | Response target (in business days) | First Response | 2 days | Time to Triage | 7 days | Time to Bounty | 14 days | Time to Resolution | depends on severity and complexity |
Wells Fargo does not allow public disclosure of vulnerabilities, including after resolution. Requesting public disclosure does not guarantee that disclosure will be allowed.
Please see HackerOne's [https://www.hackerone.com/disclosure-guidelines](disclosure guidelines) for more information.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Your report is subject to HackerOne’s Vulnerability Disclosure Guidelines.
The program cannot reward any individual on any U.S. sanctions list or any individual residing in any U.S.-sanctioned country or region.
You are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including any bounty payments.
One vulnerability type per report unless chaining vulnerabilities to provide impact.
One report for the same vulnerability impacting multiple domains.
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
When reporting vulnerabilities, consider (1) the attack scenario or exploitability, and (2) the security impact of the bug.
When duplicates occur, only the first report that was received will be awarded. (pending validation)
Social engineering (e.g. phishing, vishing, smishing, tabnabbing) for the purposes of validating a vulnerability is prohibited. Testing with your own accounts at your own risk will be considered on a case-by-case basis.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
Comply with applicable federal, state, local, and international laws in connection with your participation in this vulnerability disclosure program.
Current and former employees of Wells Fargo and Wells Fargo’s subsidiaries, past and present, are not permitted to take part in our bug bounty program.
If credentials are obtained for an app that is not widely, publicly available, no further testing is allowed until explicitly approved by the Wells Fargo Bounty Team.
Wells Fargo reserves the right to modify the terms of this policy or terminate the program at any time.
You represent that you are not located in or a resident of a country under United States sanctions, nor a person on, or working on behalf of a party identified on, any restricted party list maintained by the United States government.
You consent to your information being stored and transferred to the United States and acknowledge you have read and accepted the terms of this policy and HackerOne’s Vulnerability Disclosure Guidelines. You agree not to disclose vulnerability details to anyone other than Wells Fargo without Wells Fargo’s written permission.
You agree that any Wells Fargo information that you may encounter, view, acquire, or access, is owned by Wells Fargo or its customers, clients, or third-party providers. You have no rights, title, or ownership to any such information.
You agree that your research will be conducted for testing and research purposes only, that you will not attempt to gain access to customer or user accounts or confidential information, and you will only interact with accounts you own.
You understand that nothing in this agreement, including submission of a report, shall be deemed to constitute the grant to you of any license or other right to or in respect of any Wells Fargo or third-party product, service, patent, trademark, trade secret, or other intellectual property.
You hereby grant Wells Fargo a perpetual, worldwide, exclusive, fully-paid license to sublicense, copy, distribute, display, perform, transmit, and publish the report.
Detailed Reports: Submit comprehensive reports that clearly explain the vulnerability with reproducible steps, including any relevant code snippets, screenshots, or network traffic logs. Vague or incomplete reports may not be eligible for a reward.
Ethical & Safe Testing: Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Reduce impact: Wells Fargo handles enormous web traffic. Help us differentiate your testing activity from real threats by following these steps:
*Use email addresses in the format mailto:[email protected] when registering accounts (when possible). *Provide your IP address in bug reports, especially for high and critical severity issues. Wells Fargo will keep it confidential and use it solely to analyze your testing logs. *Set a custom HTTP header in all your testing traffic. Once again, report to us what header you set so we can identify it easily for deconfliction purposes.
Identifier | Format | Example | Your Username | X-Bug-Bounty:HackerOne- | | Tool Identifier | X-Bug-Bounty: | |
Respect user privacy: Use only authorized accounts to avoid compromising real user data.
Demonstrate responsible exploitation:
When showcasing root access, use these commands (or similar methods):
Read: cat /proc/1/maps
Write: touch /root/
Execute: Run cat and touch simultaneously to prove execution capabilities.
Always follow program rules: Adhere to program rules at all times. Do not use payloads that could trigger state changes or damage production systems and/or data.
Responsible Automation: Thoughtful usage of automated scanners/tools is allowed. Scanners/tools must be configured to not send more than 500 requests per second to any particular service.
Stop before causing harm: If you suspect potential damage during testing, stop immediately, report your findings, and request permission for further testing. Wells Fargo's internal security team is available to assist.
Domains where Wells Fargo & Company is listed as the Registrant Organization, Admin Organization, or Tech Organization are in scope. Domains maintained by third parties, other than Wells Fargo, will be considered on a case-by-case basis.
Vulnerabilities typically in scope include items from the OWASP Top 10 and vulnerabilities with a confirmed security impact.
We reserve the right to determine whether to accept a report. For example, we may not accept:
A report on a vulnerability with little security impact or exploitability.
A vulnerability outside our control, such as issues impacting third-party systems.
Vulnerabilities discovered through automated scanning tools ex: Acunetix, Nessus, and Qualys without steps to reproduce the vulnerability, and associated request / response data.
A report of a vulnerability resulting from a violation of the program guidelines.
Eligibility for payment is contingent on Wells Fargo's ownership of the hosting infrastructure regardless of the in-scope domains list. Assets that appear to be owned by Wells Fargo may be owned and/or managed by third parties.
HTTP Headers best practices. Ex:
Access-control-allow-origin (CORS)
Content-Security-Policy (CSP)
X-XSS-Protection (XSS)
Referrer-Policy (RBAC)
Strict-Transport-Security (HSTS)
Email record best practices. Ex:
Missing or invalid SPF
Missing or invalid DKIM
Missing or invalid DMARC
Error Messages. Ex:
Software or server version number
Banner identification
Stack trace info
Self XSS
Valid cross-site scripting must be exploitable via reflected, stored, or DOM-based attacks and injectable by a third party
Web app hygiene
Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access to a user's device
Publicly identified vulnerable libraries
Comma Separated Values (CSV) injection
Missing best practices in SSL/TLS configuration
Any activity that could lead to the disruption of our services (DoS)
Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS
Stealer Logs
Most rate limiting or brute force findings
Missing HttpOnly or Secure flags on cookies
Findings requiring unlikely or inordinate amounts of prior victim user interaction, such as session tokens or CSRF values
Bugs affecting browsers or plugins not listed on the Wells Fargo supported browsers page
Do not test the physical security of Wells Fargo property
Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis
Public Zero-day vulnerabilities that have been publicly disclosed for less than 72 hours
Gold Standard Safe Harbor supports the protection of organizations and hackers engaged in Good Faith Security Research. “Good Faith Security Research” is accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.
We consider Good Faith Security Research to be authorized activity that is protected from adversarial legal action by us. We waive any relevant restriction in our Terms of Service (“TOS”) and/or Acceptable Use Policies (“AUP”) that conflicts with the standard for Good Faith Security Research outlined here.
This means that, for activity conducted while this program is active, we: *Will not bring legal action against you or report you for Good Faith Security Research, including for bypassing technological measures we use to protect the applications in scope; and, *Will take steps to make known that you conducted Good Faith Security Research if someone else brings legal action against you.
You should contact us for clarification before engaging in conduct that you think may be inconsistent with Good Faith Security Research or unaddressed by our policy.
Keep in mind that we are not able to authorize security research on third-party infrastructure, and a third party is not bound by this safe harbor statement.
Swag: Wells Fargo's Bug Bounty program does not currently offer swag.
Test accounts: We cannot provide pre-configured test accounts or special access. Please use authorized accounts when testing.
Report status: If you have questions about your report's status, please contact us directly within the report.
[https://docs.hackerone.com/hackers/quality-reports.html](How do I make my report great?)
[https://www.hackerone.com/blog/how-bug-bounty-reports-work](I submitted a report. Now what? I have questions.)
[https://docs.hackerone.com/hackers/report-states.html](What causes a report to be closed as Informative, Duplicate, N/A, or Spam?)
[/wellsfargo-bbp/thanks](See all hackers
)
1
/todayisnew?type=userReputation: 320
2
/krynos?type=userReputation: 196
3
/nagli?type=userReputation: 191
4
/mikee?type=userReputation: 163
5
/zlz?type=userReputation: 152
6
/ziot?type=userReputation: 130
7
/curiositysec?type=userReputation: 120
8
/arielrachamim?type=userReputation: 116
9
/sam_exploit?type=userReputation: 105
10
/expression4865?type=userReputation: 99
11
/leonishan?type=userReputation: 95
12
/santero?type=userReputation: 88
Wells Fargo Bounty
https://www.wellsfargo.com Bug Bounty Program launched in Oct 2024
Response efficiency: 94%
[/wellsfargo-bbp/reports/new?type=team&report_type=vulnerability](
Submit without Report Assistant
)
Severity
Rewards
Severity
Rewards
LowAvg. bounty n/a9.84% submissions
$100–$600
MediumAvg. bounty $97266.67% submissions
$300–$4,000
HighAvg. bounty $30014.21% submissions
$2,000–$7,500
CriticalAvg. bounty n/a9.29% submissions
$4,000–$15,000
Total bounties paid | $247,700 | Average bounty range | $500 - $600 | Top bounty range | $5,000 - $12,500 | Bounties paid | 90 days | $10,900 | Reports received | 90 days | 79 | Last report resolved | 6 days ago | Reports resolved | 185 | Hackers thanked | 192 | Assets In Scope | 14 |
© HackerOne