What’s New?
We at Capital One strongly believe in the importance of security, and part of our mission is to protect our customers and their data. As part of this commitment, we launched our private bug bounty program in 2019, inviting hackers from all over the world to find and report vulnerabilities on any of our external assets.
Over the past five years, we’ve expanded, collaborated, and established ourselves as a good partner within the bug bounty community. During this time, we’ve worked with HackerOne to host multiple Live Hacking Events, focusing on securing our most critical applications. We’ve also hosted focused testing engagements to utilize the bright minds in the bug bounty community to help secure Capital One, but we don’t want to stop there.
This year, we plan to take it a step further by launching Capital One’s new public bug bounty program. We invite everyone to take this step with us and join us in continuing to build and preserve a secure environment for our customers.
What’s in Scope?
The scope of this program will put a major focus on Capital One’s core external-facing applications. This enhanced focus will help to bolster security on our heavily used applications and ultimately provide more security for our end users. The in-scope domains include:
- *.capitalone.com
- *.capitaloneshopping.com
- *.capitalonegslbex.com
- *.capitalone.ca
- ENO Browser Extension
- Capital One Shopping Browser Extension
- Mobile Apps for each of the above applications, if applicable
Attack scenarios that rely on physical testing, social engineering, phishing, and denial-of-service attacks will be out of scope, as will third-party domains and assets.
How Capital One Handles Vulnerabilities and Disclosures
Capital One is committed to investing in the security of our customers’ information. Our Bug Bounty team is a group of security professionals who responsibly handle all of the potential security vulnerabilities identified by hackers worldwide. Our team is steadfast in its efforts to maintain the security of our customers, actively receiving and responding to any potential security vulnerability reports we might receive through initial triage, impact assessment, and remediation to proactively safeguard our customers.
As a hacker and future reporter for our program, you can expect your report to undergo an initial triage assessment and validation via our partner, HackerOne. After this, Capital One’s Bug Bounty team will perform a secondary validation where we will test and assess the impact of your submitted vulnerability and work with our internal teams to develop and implement a fix. You can expect to be kept in the loop, from validation to remediation, with transparent communication from our team being paramount.
We look forward to taking this leap, as we strive to protect our customers, and hope that you choose to take the leap with us. Catch you in the logs!