Bug Bounties

Wells Fargo

Powered by: 

Allows bounty splitting: 

Average time to first program response: 3

Average time to bounty awarded null: 

Average time to report resolved: 1432

Handle wellsfargo

Managed program: true

Name: Wells Fargo

Offers bounties: false

Offers swag: true

Response efficiency percentage: 100

Submission state: open

Url: https://hackerone.com/wellsfargo

Website: http://wellsfargo.com

In scope:

  • Asset identifier: *.advisor-connection.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: Subdomains maintained by third parties, other than Wells Fargo, are not in scope for this program.
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: *.mworld.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: Subdomains maintained by third parties, other than Wells Fargo, are not in scope for this program.
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: *.wellsfargo.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: Domains where Wells Fargo & Company is listed as the Registrant Organization, Admin Organization, or Tech Organization are *not* by default included in the bug bounty. Please see our responsible disclosure program https://hackerone.com/wellsfargo?type=team for those domains/assets. Domains registered to Wells Fargo but hosted by a third party are out of scope. Not sure what’s in scope? Send an email to support[at]hackerone.com. Vulnerabilities typically in scope include items from the OWASP Top 10 and vulnerabilities with a confirmed security impact. We reserve the right to determine whether to accept a report. For example, we may not accept: * A report on a vulnerability with little security impact or exploitability * A vulnerability outside our control * A vulnerability discoverable through automated scans that have not been verified manually * A report of a vulnerability resulting from a violation of the program guidelines
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: *.wellsfargoadvisors.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: Subdomains maintained by third parties, other than Wells Fargo, are not in scope for this program.
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: *.wf.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: This domain is one of our main domains that we see out of scope submissions for payment. submissions to this domain should be made via our responsible disclosure program.
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: *.wystar.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: Subdomains maintained by third parties, other than Wells Fargo, are not in scope for this program.
  • Integrity requirements: 
  • Max severity: critical