Bug Bounties

KeyBank

Powered by: 

Allows bounty splitting: 

Average time to first program response: 5

Average time to bounty awarded null: 

Average time to report resolved: 88

Handle keybank

Managed program: true

Name: KeyBank

Offers bounties: false

Offers swag: false

Response efficiency percentage: 100

Submission state: open

Url: https://hackerone.com/keybank

Website: https://www.key.com

In scope:

  • Asset identifier: *.bolstr.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.cainbrothers.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: *.cainbrothers.com is in scope for the Log4Shell vulnerability (CVE-2021-44228). Please see the Bug Bounty policy for more details. Keybank is fully aware of the Log4Shell vulnerability (CVE-2021-44228) and is remitting all known instances of this security issue. Due to the severe nature of this vulnerability, we are offering $3,000 for any exploitable instances found on any product, system, or asset belonging to KeyBank, Cain Brothers, HelloWallet, KeyBanc Capital Markets, or Laurel Road ("KeyBank") Proof of concepts for this vulnerability should be presented utilizing DNS-pingbacks and will be validated by the Keybank team before awards are issued. Multiple instances of the same backend application will be rated as a single instance. Any other issues found should be reported to the Keybank VDP
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: *.hellowallet.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.key.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: *.key.com is in scope for the Log4Shell vulnerability (CVE-2021-44228). Please see the Bug Bounty policy for more details. Keybank is fully aware of the Log4Shell vulnerability (CVE-2021-44228) and is remitting all known instances of this security issue. Due to the severe nature of this vulnerability, we are offering $3,000 for any exploitable instances found on any product, system, or asset belonging to KeyBank, Cain Brothers, HelloWallet, KeyBanc Capital Markets, or Laurel Road ("KeyBank") Proof of concepts for this vulnerability should be presented utilizing DNS-pingbacks and will be validated by the Keybank team before awards are issued. Multiple instances of the same backend application will be rated as a single instance. Any other issues found should be reported to the Keybank VDP
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: *.keybank.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: *.keybank.com is in scope for the Log4Shell vulnerability (CVE-2021-44228). Please see the Bug Bounty policy for more details. Keybank is fully aware of the Log4Shell vulnerability (CVE-2021-44228) and is remitting all known instances of this security issue. Due to the severe nature of this vulnerability, we are offering $3,000 for any exploitable instances found on any product, system, or asset belonging to KeyBank, Cain Brothers, HelloWallet, KeyBanc Capital Markets, or Laurel Road ("KeyBank") Proof of concepts for this vulnerability should be presented utilizing DNS-pingbacks and will be validated by the Keybank team before awards are issued. Multiple instances of the same backend application will be rated as a single instance. Any other issues found should be reported to the Keybank VDP
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: *.laurelroad.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: This campaign will focus on the `\*.laurelroad.com domain`. This includes all subdomains under the laurelroad.com domain name. Many of the laurelroad.com domains are in a live production environment. Please use caution when performing tests and be sure to follow the [Program Rules](#user-content-program-rules-and-guidelines) below. This includes, but is not limited to the following laurelroad.com domains: ``` \*.laurelroad.com www.laurelroad.com offers-uat.laurelroad.com pl-gcp-uat-f5vt.laurelroad.com pl-gcp-uat.pp.laurelroad.com sl.laurelroad.com tableau-uat-pp.laurelroad.com \*-dev.laurelroad.com \*.dev.laurelroad.com sl-gcp-uat-pp.laurelroad.com login.laurelroad.com login-gcp-uat-pp.laurelroad.com savings.laurelroad.com tableau.laurelroad.com pl-gcp-uat-pp.laurelroad.com checking.laurelroad.com checking-uat.laurelroad.com \*-uat.laurelroad.com pl.laurelroad.com sl-gcp-uat.pp.laurelroad.com savings-uat.laurelroad.com ```
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: 1090492316
  • Asset type: APPLE_STORE_APP_ID
  • Availability requirement: medium
  • Confidentiality requirement: medium
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: KeyNavigator
  • Integrity requirements: medium
  • Max severity: critical



  • Asset identifier: 1242358235
  • Asset type: APPLE_STORE_APP_ID
  • Availability requirement: medium
  • Confidentiality requirement: high
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: KeyBank Mobile iPad
  • Integrity requirements: medium
  • Max severity: critical



  • Asset identifier: 479213995
  • Asset type: APPLE_STORE_APP_ID
  • Availability requirement: medium
  • Confidentiality requirement: high
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: HelloWallet Mobile
  • Integrity requirements: medium
  • Max severity: critical



  • Asset identifier: 510717503
  • Asset type: APPLE_STORE_APP_ID
  • Availability requirement: medium
  • Confidentiality requirement: high
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: KeyBank Mobile
  • Integrity requirements: medium
  • Max severity: critical



  • Asset identifier: com.key.android
  • Asset type: GOOGLE_PLAY_APP_ID
  • Availability requirement: medium
  • Confidentiality requirement: medium
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: KeyBank Mobile Android
  • Integrity requirements: medium
  • Max severity: critical



  • Asset identifier: com.key.community.tablet
  • Asset type: GOOGLE_PLAY_APP_ID
  • Availability requirement: medium
  • Confidentiality requirement: high
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: KeyBank Mobile Android Tablet
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: com.keycorp.kmf
  • Asset type: GOOGLE_PLAY_APP_ID
  • Availability requirement: medium
  • Confidentiality requirement: medium
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: KeyNavigator Mobile Android
  • Integrity requirements: medium
  • Max severity: critical



  • Asset identifier: com.nclud.hellowallet
  • Asset type: GOOGLE_PLAY_APP_ID
  • Availability requirement: medium
  • Confidentiality requirement: high
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: HelloWallet Android
  • Integrity requirements: medium
  • Max severity: critical