Responsible Disclosure Program

Help Us Secure Your Financial Data

WealthGuard rewards ethical security researchers who responsibly disclose vulnerabilities in our products. Join our global network of bug hunters and help protect millions of financial accounts.

Submit a Bug Read Guidelines
$1.2M+
Total Paid to Researchers
48hrs
Average Triage Time
850+
Valid Reports Resolved

Program Scope

Test responsibly. We welcome reports on the following assets and strictly prohibit activities outside the defined boundaries.

In Scope

  • app.wealthguard.com (Web Application)
  • api.wealthguard.com (REST & GraphQL APIs)
  • iOS & Android Mobile Applications
  • Customer-facing infrastructure & CDN endpoints
  • OAuth/OpenID Connect authentication flows
  • Payment processing & transaction endpoints

Out of Scope

  • Denial of Service / DDoS attacks
  • Social engineering & phishing attempts
  • Third-party services (Stripe, Plaid, AWS)
  • Automated scanning of production traffic
  • Business logic complaints or feature requests
  • Vulnerabilities in open-source libraries (report to maintainer)

Reward Structure



Payouts are based on CVSS 3.1/4.0 scoring, exploitability, and impact on financial data integrity.

Severity Impact Criteria Example Vulnerabilities Reward
Critical Full account takeover, direct fund access, admin compromise Unauth RCE, Stored XSS in admin panels, SQLi leading to PII theft $10,000 – $25,000
High Sensitive data exposure, partial account compromise IDOR on transaction history, JWT weakness, CSRF on payment flows $5,000 – $10,000
Medium Limited data exposure, authentication bypass (non-critical) Reflected XSS, Session fixation, Insecure direct object references $1,000 – $5,000
Low Minor security misconfigurations, low-impact findings Missing security headers, Info disclosure, Weak cipher suites $250 – $1,000
Info Best practice improvements, hypothetical risks Verbose error messages, Missing rate limiting, DNS misconfigs $50 – $250

How It Works

A transparent, streamlined process from discovery to payout.

1

Test Responsibly

Reproduce the vulnerability in a controlled manner. Never impact real users or production data.

2

Submit Report

Use our secure portal to submit steps to reproduce, impact analysis, and proof-of-concept code.

3

We Triage & Fix

Our security team acknowledges within 48 hours, validates the finding, and implements a patch.

4

Get Rewarded

Once verified, rewards are processed via crypto or bank transfer within 14 business days.

Rules of Engagement

Adhering to these guidelines ensures safe testing and legal protection for all parties.

Safe Harbor

Good faith security research is authorized and will not result in legal action. We respect the Safe Harbor provisions of the DMCA.

Data Handling

Do not access, modify, or exfiltrate data belonging to other users. Delete any sensitive data collected during testing immediately.

System Integrity

Do not perform destructive actions, brute-force attacks, or DoS/DoW testing. Use test accounts where possible.

Communication

Do not disclose findings publicly until we've had 90 days to patch the vulnerability. Private disclosure is required.

Found a Vulnerability?

Submit your report securely through our encrypted portal. All communications are end-to-end encrypted and handled by our dedicated security response team.

Open HackerOne Portal security@wealthguard.com

PGP Key available upon request • TLS 1.3 Encrypted Submission

Frequently Asked Questions

Everything you need to know about participating in our bug bounty program.

Our security team triages new submissions within 24–48 hours during business days. You'll receive an acknowledgment, severity assessment, and timeline for resolution.

Lightweight, rate-limited scanning is permitted, but aggressive automated attacks, DDoS tools, or scanners that impact production performance are strictly prohibited.

Previously disclosed or patched vulnerabilities are eligible for reduced payouts or reputation points, depending on the finding's uniqueness and reporting quality.

Yes! All participants receive Hall of Fame recognition, priority program access, exclusive security swag, and invitations to annual researcher events.

Absolutely. We never disclose researcher identities without explicit written consent. Your profile and communications remain fully confidential.