One of the core values at Digit is to keep user information safe & secure and we welcome contributions from external security researchers who help do just that. If you believe you have found a vulnerability, we appreciate your help in responsibly disclosing it to us. If the submission meets our program scope and guidelines, we look forward to paying a reward for your efforts.
Please send submissions to email@example.com
For now, the Digit iOS and Android applications; the Digit web and API applications are eligible for the bounty program.
If there are other avenues that may have potentially high impact, we still encourage you to report such bugs through this program.
For any kind of vulnerability discovery and disclosure process with respect to Digit products and services, we ask that you understand and follow the program rules at all times.
Provide a succinct account of the security issue.
If we require further evidence of a vulnerability, we will ask you. Unless given explicit permission, refrain from changing or breaking anything that could potentially affect users’ experience of our services.
Do not access or modify our data or our users’ data at any time. Only interact with your own accounts while conducting research.
Act in good faith and be respectful of user privacy. Viewing, altering, saving, transferring user data or any other means to access the same is strictly prohibited. If you inadvertently encounter such a situation, please bring it to our attention immediately and purge any local copy of that information.
Do not spam with automated scanners and tools and submit those reports without proof of exploitability. Do not perform brute-force testing on any our applications, services or endpoints to understand if rate-limiting rules exist or for any other reason.
Give us reasonable time to respond to the issue before making it public. We take these issues seriously and will get back to you with a response as soon as we can.
Act in good faith to avoid destruction of data, and interruption or degradation of our services (including but not limited to denial of service).
Please reach out to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.
Comply with all applicable laws.
While evaluating reports for bounty payouts, we aim to be objective and fair (all amounts are at our discretion).
We will not negotiate in response to duress or threats (e.g., we will not negotiate the payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public). We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.
The following issues are outside the scope of this program:
Denial of service attacks
Social engineering attacks
XSS on any site other than digit.co
Attacks where physical access to a user's device is required
Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking)
Attacks that require exceedingly unlikely user interactions
Vulnerabilities affecting users of outdated browsers or platforms
Any access to data where the targeted user needs to be operating a rooted mobile device
Any physical attempts against Digit property or data centers
Missing CSRF tokens, unless there is evidence of sensitive user action not protected by a token
Missing security headers or best practices - you need to provide evidence of a security vulnerability
Absence of rate limiting, unless related to authentication or money movement
Host header injections unless you can show how they can lead to stealing user data or moving user money
Our policies on presence/absence of SPF/DMARC records
Reports from automated tools or scans
Reports of insecure SSL/TLS ciphers, unless there is evidence from a working proof of concept, and not just a report from a scanner
To be objective and fair Digit uses the CVSS v3.0 calculator to determine score and decide bounty awards.
Digit reserves the right to make the final call on the validity of submissions and reward amounts may vary depending on severity, likeliness, impact among other factors. The following table is to be treated more as a guideline of what to expect.
You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.
Reports from individuals who we are prohibited by law from paying are ineligible for rewards. Digit employees and their family members are not eligible for bounties.
We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy by actors seeking to detect and report vulnerabilities to us. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope. If legal action is initiated by a third party against you and you have complied with Digit’s bug bounty policy, Digit will take steps to make it known that your actions were conducted in compliance with this policy.