USAA Bug Bounty and Responsible
Disclosure Program

If you want to report a vulnerability for a possible bug bounty, please review our responsible disclosure standards first.

Scope

The scope is limited to technical vulnerabilities on USAA owned applications. The properties below are in scope:

• www.usaa.com.
• mobile.usaa.com.
• Native mobile applications (iOS, Android, Windows 10).

Eligible Vulnerabilities

• Cross-site scripting.
• SQL injection.
• Remote code execution.
• Cross-site request forger.
• Information disclosure.

Vulnerability research and testing should include member data solely under the researcher's control. It should not include other members' private data.

Ineligible Reports and False Positives

• Domains/subdomains which are not included in the abovementioned testing scope.
• Denial-of-service attack related vulnerabilities.
• Vulnerabilities discovered through automated tools or scans.
• Reports from USAA employees, USAA contractors or USAA suppliers or any persons related to or otherwise affiliated with USAA employees or contractors or suppliers.
• Vulnerabilities which require physical access to a user's device.
• Vulnerabilities in USAA partner sites.
• Non-sensitive information available via our CDN (Content Delivery Network).
• Non-sensitive information available on USAA Member Community sites.
• Spam or social engineering techniques.
• Physical attacks against USAA offices, data centers and financial centers.

We will attempt to respond in a timely manner:

• Acknowledgement of the vulnerability report.
• Time frame for a vulnerability assessment and fixing the issue.
• Notification that the issue has been fixed.