submit bug report:https://www.usaa.comOverview
USAA supports responsible disclosure when individuals uncover vulnerabilities in our technology offerings that could be maliciously exploited, resulting in the loss of member’s trust and confidence. Responsible disclosure of a vulnerability consists of providing notification to USAA in lieu of publicly releasing the details and providing a reasonable timeframe for USAA to fix the issue.
When a potential vulnerability is reported to USAA through responsible means, USAA will strive to confirm its existence in a timely manner, evaluate the risk to USAA and the membership and, if necessary, issue the appropriate corrective timeline and actions to remediate. USAA sincerely appreciates responsible disclosure of vulnerabilities from all parties, and may offer monetary rewards to those individuals who participate in accordance with USAA’s policy. The amount of the reward, if any, at USAA’s discretion, is linked to multiple factors, such as vulnerability type, ease of exploitability, and impact to the membership.
Scope
The scope is limited to technical vulnerabilities on USAA owned applications. The properties below are in scope:
•
www.usaa.com• mobile.usaa.com
• partners.usaa.com
• Native mobile applications (iOS, Android, Windows 10)
Eligible Vulnerabilities
• Cross-Site Scripting
• SQL Injection
• Remote Code Execution
• Cross-Site Request Forgery
• Information Disclosure
• Security Decisions via Untrusted Inputs
Ineligible Reports and False Positives
• Domains/subdomains which are not included in the approved testing scope
• Denial-of-Service attack related vulnerabilities
• Vulnerabilities discovered through automated tools or scans
• Reports from USAA employees, USAA contractors, or USAA suppliers or any persons related to or otherwise affiliated with USAA employees or contractors or suppliers.
• Vulnerabilities which require physical access to a user’s device
• Vulnerabilities in USAA partner sites
• Non-sensitive information available via our CDN (Content Delivery Network)
• Non-sensitive information available on USAA Member Community sites
• Spam or social engineering techniques
• Physical attacks against USAA offices, data centers, and Financial Centers
• Unvalidated redirects
Vulnerability Submissions
To report a vulnerability, please submit a high level report of your finding to disclosure@usaa.com. We will attempt to review and respond to your report within thirty (30) days of submission.
Other Conditions
Your submission and USAA’s evaluation and consideration thereof, does not imply or create:
• A confidential relationship;
• A promise to pay (subject to USAA’s discretion); or
• A recognition of either novelty or originality of the idea or submission.
During USAA’s evaluation you will not disclose USAA’s potential interest or otherwise use USAA’s name without written permission from USAA. USAA is not required to disclose to you its own developments, other submitted ideas, or other ideas used by USAA or its competitors.
Do
• Report any known defects or vulnerabilities in USAA systems and applications by submitting them to USAA’s vulnerability disclosure email address disclosure@usaa.com.
• Participate in responsible disclosure by providing USAA notification of the defect and sufficient evaluation and remediation time.
Don't
• Publicly disclose the vulnerability prior to our resolution.
• Modify, delete, copy, download, or tamper with member data
• Anticipate payment for finding or reporting defects or vulnerabilities in USAA’s applications or systems for which USAA is already aware.
• Attempt to coerce, threaten, intimidate, or extort USAA or exploit or publish claims regarding alleged defects or vulnerabilities in USAA applications or systems.
