Bug Bounties

Affirm

Powered by: 

Allows bounty splitting: 

Average time to first program response: 21

Average time to bounty awarded null: 2531

Average time to report resolved: 3708

Handle affirm

Managed program: true

Name: Affirm

Offers bounties: true

Offers swag: false

Response efficiency percentage: 83

Submission state: open

Url: https://hackerone.com/affirm

Website: http://www.affirm.com

In scope:

  • Asset identifier: com.affirm.central.audit
  • Asset type: GOOGLE_PLAY_APP_ID
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: This is the Android testing app built for HackerOne. It's distributed through Google Play Store.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: com.affirm.internal.hackerone
  • Asset type: OTHER
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: This is the testing iOS app built for HackerOne. It is distributed through Crashlytics.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: https://TEST-STORE-SUBDOMAIN.dev.return.ly
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: low
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Replace TEST-STORE-SUBDOMAIN with your Shopify store. This is where a typical customer would initiate a return for the merchant they have obtained an item from.
  • Integrity requirements: low
  • Max severity: critical



  • Asset identifier: https://dashboard.dev.return.ly
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: low
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Web dashboard for Returnly (a subsidiary of Affirm).
  • Integrity requirements: low
  • Max severity: critical



  • Asset identifier: https://direct-hackerone.affirm-odin.com/
  • Asset type: URL
  • Availability requirement: none
  • Confidentiality requirement: none
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: It is an example integration that demonstrates how our application integration works with a merchant. In general, websites will integrate with Affirm for payments. This domain is simply a testing site to show how the API works and to test the flow of taking out a loan for buying an item. It intentionally has no ACLs, or permissions. The endpoints that you access to at the end of a checkout emulate what websites who integrate with us have access to.
  • Integrity requirements: none
  • Max severity: none



  • Asset identifier: https://hackerone.affirm-odin.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Main replica of Affirm's web platform experience.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: https://vcn-hackerone.affirm-odin.com/
  • Asset type: URL
  • Availability requirement: none
  • Confidentiality requirement: none
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: It is an example integration that demonstrates how our application integration works with a merchant. In general, websites will integrate with Affirm for payments. This domain is simply a testing site to show how the API works and to test the flow of taking out a loan for buying an item. It intentionally has no ACLs, or permissions. The endpoints that you access to at the end of a checkout emulate what websites who integrate with us have access to.
  • Integrity requirements: none
  • Max severity: none