Bug Bounties

Credit Karma

Powered by: 

Allows bounty splitting: 

Average time to first program response: 23

Average time to bounty awarded null: 1565

Average time to report resolved: 

Handle creditkarma

Managed program: true

Name: Credit Karma

Offers bounties: true

Offers swag: false

Response efficiency percentage: 83

Submission state: open

Url: https://hackerone.com/creditkarma

Website: https://creditkarma.com

In scope:

  • Asset identifier: com.creditkarma.canada
  • Asset type: APPLE_STORE_APP_ID
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: com.creditkarma.mobile
  • Asset type: APPLE_STORE_APP_ID
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: com.creditkarma.mobile
  • Asset type: GOOGLE_PLAY_APP_ID
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: https://*.creditkarma.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: https://accounts.creditkarma.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: https://api.creditkarma.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Our Native apps make use of our API to talk to our servers.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: https://blog.creditkarma.com/
  • Asset type: URL
  • Availability requirement: medium
  • Confidentiality requirement: low
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: medium
  • Max severity: critical



  • Asset identifier: https://help.creditkarma.com
  • Asset type: URL
  • Availability requirement: medium
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: SalesForce owned-endpoint. Manual Testing only. No Automated Scanning. • No automated scanning on this endpoint. • Overnight hours only (10PM - 2AM PT) • Please note during any cases and/or chat session , please indicate that you are performing a Bug Bounty test from HackerOne and that this case is a Spam PenTesting Ticket and any follow-up questions can be forwarded to Vivi.Langga.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: https://support.creditkarma.ca/
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: SalesForce owned Endpoint. Manual review only - No Automated Scans. • No automated scanning on this endpoint. • Overnight hours only (10PM - 2AM PT) • Please note during any cases and/or chat session , please indicate that you are performing a Bug Bounty test from Hacker One and that this case is a Spam PenTesting Ticket and any follow-up questions can be forwarded to Vivi.Langga.
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: https://www.creditkarma.ca
  • Asset type: URL
  • Availability requirement: medium
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: https://www.creditkarma.com/savings
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical