We classify all submissions based on Bugcrowds Vulnerability Taxonomy . P1s are scary, and we pay the maximum for those. On the other hand, P5s are considered "recommended practices", and we intentionally don't follow all recommendations. However, if you submit a P5 and we change our code as a result of your submission, it will be bumped to a P4, and paid out accordingly. Note: Please don't pretend your issue is more severe than it is when describing it. It will lead to lost trust and higher frustration, but it never leads to higher payouts!

The objective is to discover vulnerabilities in our web application and API. Of particular interest are:

(Actually, we hope you can't find any of this, but you know what we mean.)

We work hard to keep You Need a Budget secure, and make every effort to keep on top of the latest threats by working with security researchers and companies. If you think we've made a security mistake or have a vulnerability, please tell us right away. If you're the first to alert us and it leads to us making a change, we'll pay you a reward.

Any host verified to be owned by You Need a Budget is in scope [as of August 1st, 2017 2:00 PM PDT], except for the above and below out-of-scope exceptions:

Targets:

Web app and API (Staging)

This is both our Single Page Application, as well our private API endpoint, and both are targets. You will see the API endpoint being used when you fire up the app in your browser. Note that our native mobile applications are not currently in scope, but the API endpoints and the way they use the API is in scope. In other words, if you find they are using an API endpoint that is insecure, or can be abused in some way, that is in scope.

Public API (Staging) (Note that the documentation refers to our public API endpoint at api.youneedabudget.com, but we want you to test http://staging-api.youneedabudget.com

https://www.youneedabudget.com

This is a Wordpress-hosted site. It's not high risk since we don't store much information there, and it is separate from our app, but findings are still appreciated.

2FA Sign in

YNAB is very interested in getting testing on the new feature and is offering a $500 bonus for the first P1 submitted against the 2FA feature

Any other host verified to be owned by You Need a Budget, like *.youneedabudget.com, is in scope except for those noted above.

Rules:

Bugcrowd's standard disclosure terms always apply.

Here are some of our favorite rules:

1: Do NOT mess with accounts you don't control. You can create multiple testing accounts if you need to test information leakage between them.

2: Do NOT run aggressive automated scans. They're noisy and look a heck of a lot like a real attack. You run the risk of being locked out of our systems.

3: Do NOT DoS or DDoS us.

4: Do NOT try to break into our offices or perform social engineering on our employees.

5: Do NOT mess with our customers.

Out of scope:

The following issues won't be considered for a bounty:

User enumeration through sign up, log in and forgot password functionality.

Email spoofing - we have SPF (and DKIM) settings enabled where appropriate, but if we are experimenting with our DMARC settings, spoofing might be possible temporarily.

Being vulnerable to a DoS attack

In rare cases, a Denial of Service attacks will be considered: i.e. A malformed JSON packet that crashes our server and causes it to stop responding. Hammering our site and slowing it down is not in scope!

Self-XSS (tricking someone to running scripts on their console).

Note that we do consider self-XSS to be in scope (P4) if your only methods of input are the UI. (Typing anything in the console is not in scope). For example, if you type in a magic string for an account name and get it to pop up an alert box, we definitely care!

Bugs that cause the application to not function, but that are not security-related. For instance, modifying the data sent to our servers and causing your account to get into an un-loadable state might be possible. We would only be interested if you could break someone else's budget or cause them to break their own budget unintentionally.

Bugs that don't affect the latest version of Chrome, Firefox, or Safari, and Edge

CSRF on non-authenticated pages or that cause log out. (That includes login forms)

TLS/SSL configuration issues are not in scope unless they are egregious. Lack of pinning or allowing theoretically insecure cipher-suites is not in scope. If you still want to examine our SSL configuration, please evaluate https://app.youneedabudget.com rather than our staging site, and we'll trust you to know if you found something truly serious.

Click-jacking (disallowed in Bugcrowd's basic rules, but we're calling it out here)

https://app.youneedabudget.com, or ANY other hosted version of the web application. To pen-test the application, only run your tests on https://staging-app.youneedabudget.com

Our support forum https://support.youneedabudget.com/ Our forums are hosted by a third party and out of scope. Any testing against or in the forum will result in disciplinary actions, and could lead to being banned from the program or platform.

Our old forums are hosted by Vanilla Forums and are not in scope.

docs.youneedabudget.com Do NOT pentest this URL.

Testing is only authorized on the targets listed as In-Scope. Any domain/property of You Need a Budget not listed in the targets section is out of scope. This includes any/all subdomains not listed above. IF you happen to identify a security vulnerability on a target that is not in-scope, but that demonstrably belongs to You Need a Budget org, it may be reported to this program, and is appreciated - but will ultimately be marked as 'not applicable' and will not be eligible for monetary or points-based compensation.

Known issues

The following are known or are considered by design:

Username/email enumeration via login, registration, or forgot password page

Not listing all login sessions on a user-examinable page

Sessions not expiring due to changing passwords or emails

Ability to spam someone with forgot password functionality

Using the application before the email has been confirmed

CSV Injection

Failure to invalidate a session after an arbitrary timeout

Plaintext password field

Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.

Lack of public key pinning

Subdomain takeovers from subdomains of .youneedabudget.com pointing to Heroku (.herokuapp.com). (We have taken steps to prevent anyone else from registering our subdomain on Heroku). Other subdomain takeovers are certainly reportable.

App Platform description:

Client:

Ember Single-Page Application

Allowed browsers: Latest of Chrome, Safari, IE Edge and Firefox

Server:

We run on Heroku

Rails 5.x,

Ruby 2.x,

Puma 2.x,

Heroku Postgres

Our CDN is CloudFront

We use Recurly for billing

Marketing Site Stack (www.youneedabudget.com)

Wordpress run on Heroku

MySQL hosted on AWS

We use CloudFlare as a front-end cache

Getting Started (Credentials)

Read these rules and sign up for a Bugcrowd account. When creating an account on our services, use your BugCrowd username@bugcrowdninja.com . If you need to sign up for another account, you can do so with username+2@bugcrowdninja.com , and so on. Please don't create more accounts than you truly need. We recommend 2 accounts per researcher. When those trials run out, you can create two more. Find a vulnerability… Profit.

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;

Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;

Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy;



Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our official channels before going any further.