Description

Uphold is a global digital financial platform that enables users to buy, sell, and trade a wide range of assets, including cryptocurrencies, traditional fiat currencies, and precious metals. Operating in 140+ countries and supporting 300+ assets, Uphold provides secure multi-asset trading, instant transactions, and enterprise financial solutions. As a blockchain business, trust and security are fundamental to our success. Our reputation and brand image depend on maintaining the highest security standards, which is why security is a top priority at Uphold. This bug bounty program is a key part of our commitment to proactively identifying and mitigating security risks before they can impact our users or financial systems. As a researcher, you will be analyzing Uphold’s web applications, APIs, and mobile platforms, which facilitate multi-asset trading, financial transactions, and account management. Your contributions will help protect user funds, ensure transaction integrity, and enhance authentication security in a highly regulated financial environment. Review the program scope, rules of engagement, and testing guidelines carefully before submitting a report. We reward well-documented, high-impact security findings that strengthen the safety of our platform and uphold the trust of our users.

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 1
250
650
1,500
3,500
6,000
Tier 1
€250 - €6,000
Tier 2
100
300
750
1,500
3,000
Tier 2
€100 - €3,000
Tier 3
0
0
300
750
1,250
Tier 3
Up to €1,250
Rules of engagement
Required
Add "Intigriti-<Username>" to your User Agent
max. 10 requests /sec
Not applicable

Our Commitment to You

  • We will acknowledge your report within a reasonable timeframe and keep you informed about its progress.
  • We respect Safe Harbor protections for researchers who act in good faith within these guidelines.
  • We are happy to answer questions—please use the contact button at the top right of the platform.

Your Commitment to Us

  • Provide detailed, well-structured reports with clear impact analysis and reproduction steps.
  • Avoid submitting low-quality reports—quality matters more than quantity.
  • Do not disclose or discuss vulnerabilities publicly (including Proof-of-Concepts on YouTube, Vimeo, or other platforms) without our explicit consent.
  • Do not use automated vulnerability scanners—we only accept manually verified findings.
  • Do not exploit vulnerabilities beyond what is necessary to prove impact.

Responsible Testing Guidelines

  • Do not disrupt Uphold’s services—Denial of Service (DoS) or any form of service degradation testing is strictly prohibited.
  • Do not attempt to brute-force credentials or perform password spraying, credential stuffing, or phishing attacks.
  • Do not test against real user accounts—use sandbox accounts for testing.
  • Do not access, modify, or delete user data—if unintended access occurs, stop immediately and report the issue.
  • Do not attempt social engineering, physical security attacks, or compromise Uphold employees or third-party services.

Issue Reporting Template

A high-quality report must follow this format to ensure effective triage and resolution:

  • Title
    Use the format:
    [ASSET] - VULNERABILITY on FIELD/FUNCTION
    Example:
    [api.topperpay.com] - SQL Injection leading to user details exfiltration on getUserDetails
  • Impact Analysis
    • Clearly explain why this is a security risk.
    • Describe the business and compliance impact (e.g., data exposure, financial manipulation, account takeover).
    • Include real-world scenarios where this could be exploited at scale.
  • Reproduction Steps
    Provide step-by-step instructions on how to reproduce the issue:
    • Describe the environment (e.g., endpoint, affected function, required permissions).
    • Provide exact requests or payloads that demonstrate the vulnerability.
    • Include screenshots, logs, or proof-of-concept (PoC) code to verify impact.
  • Suggested Fixes (if applicable)
    • Provide specific technical recommendations on how to mitigate the vulnerability, avoid generic and AI generated solutions.
    • Reference resources or how-tos relevant to the issue.
Domains
iOS

The Uphold Wallet iOS Application is the primary mobile platform for Uphold users to manage their wallets, providing a full suite of financial services, including account management, real-time price quotes, transactions, and access to account history. Users can deposit, withdraw, exchange assets, and complete KYC verification directly through the app.

This is currently installable on Jailbroken devices, please read the out-of-scope findings.

iOS

The UpHODL Wallet App is a self-custodial, multichain wallet developed by Uphold Labs, allowing users to securely store, manage, and transact digital assets while maintaining full control over their private keys. The wallet supports Bitcoin (BTC), Ethereum (ETH), XRP, ERC-20 tokens, NFTs, and other blockchain networks, offering seamless DeFi access via WalletConnect and the ability to purchase cryptocurrencies directly using a card.

This is currently installable on Jailbroken devices, but we don't allow the user to proceed with creating a wallet. Please read the out-of-scope findings.

The Uphold Wallet REST API (https://api.uphold.com) offers developers comprehensive access to Uphold’s financial platform, enabling the creation of innovative services. This API allows for operations such as retrieving account details, managing user accounts, initiating transactions, accessing transaction history, and obtaining real-time market data. By integrating with this API, developers can seamlessly incorporate Uphold’s multi-asset trading and digital wallet functionalities into their applications.

More information available here.

This is a sandbox environment designed to closely mimic the production environment, allowing for extensive testing. However, for a reported issue to be considered valid, it must be reproducible in the production environment. The Uphold security team will verify and confirm the issue in production; if it cannot be replicated, the report will not be considered. In such cases, the team will provide evidence to support their assessment.

The Uphold Wallet GraphQL API (https://api-sandbox.uphold.com/graphql) serves as the API gateway for Uphold’s wallet UIs, facilitating seamless interactions between the front-end interfaces and multiple back-end microservices. Unlike the REST API, which is designed for user automation and third-party integrations, the GraphQL API is primarily responsible for enabling the wallet’s web and mobile applications to fetch and interact with user data, transactions, and account-related functionalities.

More information available here.

This is a sandbox environment designed to closely mimic the production environment, allowing for extensive testing. However, for a reported issue to be considered valid, it must be reproducible in the production environment. The Uphold security team will verify and confirm the issue in production; if it cannot be replicated, the report will not be considered. In such cases, the team will provide evidence to support their assessment.

The Uphold Enterprise API (https://api.portal.enterprise.uphold.com/) is the backend service supporting the Uphold Enterprise Portal (portal.enterprise.uphold.com), enabling enterprise clients to manage their wallets, user delegations, and integrations with Topper widgets. This API facilitates secure enterprise-level account management, transaction processing, and access control. Security testing should focus on authentication mechanisms, authorization flows, data integrity, and potential vulnerabilities that could impact enterprise account security and operations.

This is a production environment—please review the program policy to avoid denial of service and other types of unavailability during security testing.

The UpHODL Wallet App is a self-custodial, multichain wallet developed by Uphold Labs, allowing users to securely store, manage, and transact digital assets while maintaining full control over their private keys. The wallet supports Bitcoin (BTC), Ethereum (ETH), XRP, ERC-20 tokens, NFTs, and other blockchain networks, offering seamless DeFi access via WalletConnect and the ability to purchase cryptocurrencies directly using a card.

Android

The Uphold Wallet Android Application is the primary mobile platform for Uphold users to manage their wallets, providing a full suite of financial services, including account management, real-time price quotes, transactions, and access to account history. Users can deposit, withdraw, exchange assets, and complete KYC verification directly through the app.

The Uphold Enterprise Portal (https://portal.enterprise.uphold.com) is a secure platform for Uphold’s enterprise clients, providing tools to manage enterprise wallets, delegate user roles and permissions, and integrate with Topper widgets. This portal enables businesses to oversee digital asset operations, facilitate transactions, and enforce access control within their organization. Key features include multi-user account management, real-time transaction monitoring, and compliance support, allowing enterprises to securely manage financial operations.

This is a production environment—please review the program policy to avoid denial of service and other types of unavailability during security testing.

The Uphold Wallet Web Application (https://wallet.uphold.com) is the primary UI platform for Uphold users to manage their wallets, providing a full suite of financial services, including account management, real-time price quotes, transactions, and access to account history. Users can deposit, withdraw, exchange assets, and complete KYC verification directly through the application. Fund with Crypto Testnet Faucet (e.g. https://coinfaucet.eu/en/btc-testnet/ for Bitcoin)

This is a sandbox environment designed to closely mimic the production environment, allowing for more extensive testing. However, for a reported issue to be considered valid, it must be reproducible in the production environment. The Uphold security team will verify and confirm the issue in production, and if it cannot be replicated, the report will not be considered. In such cases, the team will provide evidence to support the assessment.

The Topper REST API (https://api.topperpay.com) provides a pre-widget integration layer, allowing clients to retrieve essential information before initializing a Topper widget. This API enables businesses to fetch supported countries, assets, and payment methods, as well as generate pricing simulations for specific transaction flows. By leveraging this API, clients can display relevant information to users before engaging with the Topper on-ramp or off-ramp services.

More information available here.

This is a sandbox environment designed to closely mimic the production environment, allowing for more extensive testing. However, for a reported issue to be considered valid, it must be reproducible in the production environment. The Uphold security team will verify and confirm the issue in production, and if it cannot be replicated, the report will not be considered. In such cases, the team will provide evidence to support the assessment.

The Topper Widget (https://app.topperpay.com) is a live, embeddable component designed for seamless integration into client platforms, enabling end-users to perform cryptocurrency on-ramp and off-ramp transactions. This widget facilitates the conversion between fiat and digital assets directly within the client’s interface, providing a streamlined user experience.

This is a sandbox environment designed to closely mimic the production environment, allowing for more extensive testing. However, for a reported issue to be considered valid, it must be reproducible in the production environment. The Uphold security team will verify and confirm the issue in production, and if it cannot be replicated, the report will not be considered. In such cases, the team will provide evidence to support the assessment.

The Topper GraphQL API (https://graphql.topperpay.com/graphql) serves as the API gateway for app.topperpay.com and all client-integrated Topper widgets, facilitating seamless interaction between external applications and Topper’s internal services. This API routes requests to multiple microservices handling user management, KYC verification, transaction processing, and other core functionalities.

More information available here.

This is a sandbox environment designed to closely mimic the production environment, allowing for more extensive testing. However, for a reported issue to be considered valid, it must be reproducible in the production environment. The Uphold security team will verify and confirm the issue in production, and if it cannot be replicated, the report will not be considered. In such cases, the team will provide evidence to support the assessment.

Optimus Cards Management Portal (https://uatcms.optimuscards.com) serves as the User Acceptance Testing (UAT) environment for Optimus Cards’ internal management system. This portal is designed for internal use by authorized personnel to manage and oversee various card services and operations. While it mirrors the functionalities of the production environment (https://cms.optimuscards.com), the UAT portal is intended for testing and validation purposes prior to deploying updates to the live system.

Both the UAT and production portals may be powered by similar back-end services; however, security assessments should focus exclusively on the UAT environment (https://uatcms.optimuscards.com). This approach allows for the identification of potential vulnerabilities without impacting live operations.

Security testing should concentrate on identifying vulnerabilities related to authentication mechanisms, access controls, data handling, and potential misconfigurations within the UAT environment.

Please note that service degradation attacks are not permitted.

*.optimuscards.com

Tier 3
Wildcard

The wildcard domain *.optimuscards.com includes all subdomains under optimuscards.com, covering various services related to Optimus Cards’ white-label debit and credit card solutions, Banking as a Service (BaaS), and Cards as a Service (CaaS) for financial institutions and corporate clients. These subdomains may encompass customer account management platforms, API access for partners, administrative portals, and other operational services. Given the financial nature of these services, security testing should focus on identifying vulnerabilities that could impact user data, transactions, or system integrity.

We are willing to give bonuses for any impactful issues found across the rest of our domain, provided we agree on their severity and relevance.

*.topperpay.com

Tier 3
Wildcard

The wildcard domain *.topperpay.com covers any unlisted subdomains related to Topper, an Uphold brand that provides on-ramp and off-ramp solutions for digital assets, enabling users to seamlessly convert between fiat and cryptocurrency. Security testing should focus on identifying vulnerabilities that could impact user security, transaction integrity, or authentication mechanisms.

While we have already listed some subdomains in scope, this wildcard serves to cover any additional subdomains that may be discovered. We are willing to give bonuses for any impactful issues found across the rest of our domain, provided we agree on their severity and relevance.

*.uphodl.com

Tier 3
Wildcard

The wildcard domain *.uphodl.com covers all subdomains related to UpHODL, Uphold Labs’ self-custodial multichain crypto wallet, which enables users to securely manage their digital assets. Security testing should focus on identifying vulnerabilities that could impact user security, transaction integrity, or authentication mechanisms.

While we have already listed some subdomains in scope, this wildcard serves to cover any additional subdomains that may be discovered. We are willing to give bonuses for any impactful issues found across the rest of our domain, provided we agree on their severity and relevance.

*.uphold.com

Tier 3
Wildcard

The wildcard domain *.uphold.com covers any unlisted or undisclosed subdomains related to Uphold’s financial platform, which provides multi-asset trading, digital wallets, and financial services. While most core assets are explicitly listed in scope, this wildcard serves to cover any additional subdomains that may be discovered. Security testing should focus on identifying vulnerabilities that could impact authentication, transaction integrity, or overall platform security.

We are willing to give bonuses for any impactful issues found across the rest of our domain, provided we agree on their severity and relevance.

The Uphold Enterprise API Documentation (https://docs.api.enterprise.uphold.com) provides technical resources for Uphold-as-a-Service, a fully licensed white-label solution that enables financial institutions and business partners to integrate and deploy their own branded digital asset services. This platform offers comprehensive API functionality for managing transactions, compliance, user accounts, and asset trading, while ensuring regulatory compliance and security.

This is a production environment—please review the program policy to avoid denial of service and other types of unavailability during security testing.

Optimus Cards Developer Documentation (https://docs.optimuscards.com) serves as the primary resource for developers integrating with Optimus Cards’ services. This site provides comprehensive API documentation, integration guides, and technical references necessary for implementing Optimus Cards’ payment solutions into applications. While the documentation itself does not process transactions, it acts as a crucial gateway for developers to access sandbox environments, test APIs, and understand the functionalities offered by Optimus Cards.

Each API endpoint and service described in the documentation may be powered by different back-end systems, implying that security assessments should consider varying architectures, data sources, and authentication mechanisms.

Security testing should focus on identifying vulnerabilities related to API endpoint security, data exposure, and potential misconfigurations.

Please note that service degradation attacks are not permitted.

The Topper Developer Documentation (https://docs.topperpay.com) provides technical guidance for business customers looking to integrate with Topper, a service that facilitates cryptocurrency purchases and payments. It outlines the onboarding process, API authentication, transaction workflows, and integration requirements for businesses leveraging Topper’s platform. This documentation is intended to assist companies in securely and efficiently embedding Topper’s services into their products.

This is a production environment—please review the program policy to avoid denial of service and other types of unavailability during security testing.

The Uphold API Documentation (https://docs.uphold.com) serves as the official resource for developers integrating with the Uphold Platform. It provides detailed guidance on API authentication, endpoints, request/response structures, and best practices for interacting with Uphold’s financial services. The documentation covers topics such as account management, transactions, currency conversion, and security protocols. Bug bounty participants can review the documentation for misconfigurations, security flaws, or exposed sensitive information that could impact the integrity of the Uphold API ecosystem.

This is a production environment—please review the program policy to avoid denial of service and other types of unavailability during security testing.

github.com/uphold/*

Tier 3
Wildcard

The wildcard scope github.com/uphold/* covers any public repositories made available by Uphold on GitHub. These repositories may include SDKs, developer tools, open-source projects, documentation, and other publicly accessible codebases that support Uphold’s ecosystem.

Security testing should focus on identifying misconfigurations, exposed sensitive information, or vulnerabilities that could impact Uphold’s security posture.

We are willing to give bonuses for any impactful issues found across our repositories, provided we agree on their severity and relevance. Please note that third-party dependencies are out of scope unless the issue is caused by a misconfiguration or security oversight by Uphold.

The Uphold Status Page (https://status.uphold.com/) provides real-time and historical data on the operational status of Uphold’s services, including the Mobile Wallet, Web Wallet, API, and more. It offers transparency regarding system performance, uptime statistics, and incident history, allowing users to monitor the health of Uphold’s platform.

This is a production environment—please review the program policy to avoid denial of service and other types of unavailability during security testing.

The Uphold Help Center is a comprehensive support platform designed to assist users with various aspects of their Uphold experience. It offers self-service options for tasks such as resetting passwords, managing two-factor authentication, and downloading transaction histories. The Help Center also provides detailed articles covering account setup, management, deposits, withdrawals, trading features, and security measures. Users can access guidance on updating account information, linking payment methods, understanding fees and limits, and ensuring account security. Additionally, the platform includes resources for reporting suspicious activities and accessing tax-related information. For personalized assistance, users can contact the support team directly through the Help Center.

This is a sandbox environment designed to closely mimic the production environment, allowing for more extensive testing. However, for a reported issue to be considered valid, it must be reproducible in the production environment. The Uphold security team will verify and confirm the issue in production, and if it cannot be replicated, the report will not be considered. In such cases, the team will provide evidence to support the assessment.

The Topper Support Website (https://support-staging.topperpay.com) serves as the informational and support platform for Topper, providing guidance on account management, verification processes, transaction tracking, and partnership opportunities. Users can access resources to understand Topper’s on-ramp and off-ramp functionalities and submit support requests if needed.

This is a sandbox environment designed to closely mimic the production environment, allowing for more extensive testing. However, for a reported issue to be considered valid, it must be reproducible in the production environment. The Uphold security team will verify and confirm the issue in production, and if it cannot be replicated, the report will not be considered. In such cases, the team will provide evidence to support the assessment.

Optimus Cards Website (https://www.optimuscards.com) serves as the main informational platform for Optimus Cards, providing an overview of its card issuing and payment solutions. The website primarily offers details on the company’s services, regulatory compliance, and contact information. While it does not facilitate financial transactions or serve as a gateway to customer platforms, it functions as a static informational site for prospective clients and partners.

The website operates as a standalone informational resource without direct integrations to financial systems or user authentication mechanisms. Security assessments should focus on identifying vulnerabilities related to content integrity, redirections, and potential misconfigurations.

Please note that service degradation attacks are not permitted.

The Topper Production Website (https://www.topperpay.com) serves as the informational platform for Topper, an Uphold brand that provides on-ramp and off-ramp solutions for digital assets. The website explains how users can seamlessly convert fiat to crypto (on-ramp) and crypto to fiat (off-ramp) while integrating with various self-custodial wallets. It does not facilitate transactions directly but redirects users to app.topperpay.com for asset exchanges.

This is a production environment—please review the program policy to avoid denial of service and other types of unavailability during security testing.

URL

The UpHODL Production Website (https://www.uphodl.com) serves as the institutional website for UpHODL, Uphold Labs’ self-custodial crypto wallet. It provides information about the wallet’s features, supported assets, security model, and integration with decentralized finance (DeFi) platforms. The site is designed for informational and marketing purposes, guiding users on how to download, set up, and use the UpHODL wallet.

This is a production environment—please review the program policy to avoid denial of service and other types of unavailability during security testing.

URL

The Uphold Website (https://www.uphold.com) serves as the company’s main informational platform, providing an overview of Uphold’s services, institutional offerings, and financial transparency. It includes key sections such as the Transparency Page (real-time reserves data), Institutional and Enterprise offerings, Market Prices, Blog, and Academy, along with general company updates. While the website itself does not provide transactional functionalities, it acts as a gateway to Uphold’s wallet, trading platform, and other financial services.

Technical Note: Each menu category (Individuals, Enterprise, Institutional, Market Prices, Blog, Academy, Transparency) may be powered by different back-end services, meaning security assessments should consider the possibility of varying architectures, data sources, and API implementations.

Security testing should focus on identifying vulnerabilities related to content integrity, redirections, and potential misconfigurations. Please note that service degradation attacks are not permitted.

Out of scope
URL

Topper API (https://api.topperpay.com) serves as the production API for processing transactions and account-related operations. As this is an actively used environment, it is out of scope for security testing.

Out of scope
URL

Uphold API (https://api.uphold.com) serves as the production API endpoint for Uphold’s platform, facilitating financial transactions, account management, and other core functionalities. As this is an actively used environment, it is out of scope for security testing.

URL

Uphold GraphQL API (https://api.uphold.com/graphql) is the production GraphQL endpoint supporting data retrieval and transactional interactions within the Uphold ecosystem. As this is an actively used environment, it is out of scope for security testing.

Out of scope
URL

Topper App (https://app.topperpay.com) is the production web application for users to manage their Topper accounts and perform financial operations. As this is an actively used environment, it is out of scope for security testing.

URL

Optimus Cards Management Portal (https://cms.optimuscards.com) serves as the production version of the internal management system used for overseeing various card services and operations. As this is an actively used environment, it is out of scope for security testing.

Please note that security testing against the production system (https://cms.optimuscards.com) is strictly prohibited, and service degradation attacks are not permitted.

Topper GraphQL API (https://graphql.topperpay.com/graphql) serves as the production GraphQL endpoint for data retrieval and financial interactions within the Topper platform. As this is an actively used environment, it is out of scope for security testing.

URL

Topper Support (https://support.topperpay.com) provides customer support and documentation for Topper users. As this is an actively used environment, it is out of scope for security testing.

URL

Uphold Support (https://support.uphold.com) provides customer support and knowledge base resources for Uphold users. As this is an actively used environment, it is out of scope for security testing.

Out of scope
URL

Uphold Wallet (https://wallet.uphold.com) serves as the production interface for users to access their Uphold accounts, manage assets, and perform transactions. As this is an actively used environment, it is out of scope for security testing.

In scope

We invite researchers to help us identify high-impact security vulnerabilities that could affect user security, financial integrity, or the confidentiality of our systems. The following categories are our top priorities:

1 - Bulk Data Exposure

Any method that allows unauthorized access to large volumes of user data is considered critical. This includes:

✔ Personally Identifiable Information (PII) (e.g., names, emails, phone numbers, KYC data).
✔ Transaction history, balances, or account details beyond intended visibility.
✔ API misconfigurations that allow mass data retrieval through enumeration or unauthenticated access.
✔ Improper access controls on dashboards, logs, or internal tools leading to bulk data exposure.

🚫 Out of Scope: Simple email/username enumeration, verbose error messages, or data exposure without a direct impact.

2 - Horizontal Privilege Escalation (Sandbox Only)

Vulnerabilities that allow unauthorized access to another user’s account, data, or transactions are critical security concerns. This includes:
✔ Viewing another user’s personal details, transaction history, balances, or payment methods.
✔ Modifying another user’s account settings, stored assets, or performing actions on their behalf.
✔ Gaining unauthorized access to restricted admin or privileged functions.

⚠️ IMPORTANT: Horizontal privilege escalation testing is only allowed in the Sandbox environment.Unauthorized access to real user accounts in production is strictly prohibited.

3 - Trading & Balance Manipulation

Our financial systems must maintain transaction integrity. We are interested in any method that artificially alters balances or transactions. Key concerns include:
✔ Artificially inflating wallet balances (e.g., receiving more funds than transferred).
✔ Duplicating transactions or executing unintended reversals.
✔ Altering exchange rates to gain an unfair advantage (e.g., slippage manipulation, front-running attacks).
✔ Bypassing deposit, withdrawal, or transaction limits.
✔ Any issue affecting Uphold’s balance sheet, reserves, or trade settlement process.

🚫 Out of Scope: Minor rounding errors, delayed balance updates without financial impact, speculative scenarios without a reproducible exploit.

Our ‘Unicorn’ Bounty Bonus Program

Uphold is committed to fairly compensating security researchers for high-impact discoveries.

For severe vulnerabilities that could result in major financial, operational, or reputational damage, we may offer a discretionary bonus of up to €25,000. Rewards are assessed based on the Severity assessment chapter metrics explained below. Multi-step attacks combining multiple vulnerabilities may qualify for higher payouts.

Out of scope

Disclaimer

Please note that we are unable to issue rewards to jurisdictions where the Uphold platform is not generally made available to users. A list of unsupported jurisdictions is available here.

Out of scope details

Third Parties

Third-party services are out of scope unless an issue is caused by an explicit misconfiguration by Uphold. This includes:

  • Credential disclosures or leaks on third-party services (e.g., VirusTotal, Pastebin, GitHub, public repositories) that are not under Uphold’s control.
  • Exposed API keys, OAuth credentials, or Client IDs on external platforms that do not lead to unauthorized access to Uphold systems.

Application

  • API key disclosure without proven business impact.
  • WordPress username disclosure.
  • Pre-auth account takeover / OAuth squatting.
  • Self-XSS that cannot be used to exploit other users.
  • Verbose messages, files, or directory listings without exposing sensitive information.
  • CORS misconfiguration on non-sensitive endpoints.
  • Missing cookie flags or security headers.
  • Cross-site request forgery (CSRF) with no or low impact.
  • Presence of the autocomplete attribute on web forms.
  • Reverse tabnabbing.
  • Bypassing rate limits or reporting non-existent rate limits.
  • Best practice violations (e.g., weak password complexity, expiration, or reuse).
  • Clickjacking without proven impact or requiring unrealistic user interaction.
  • CSV injection.
  • Sessions not being invalidated (logout, enabling 2FA, etc.).
  • Tokens leaked to third parties (e.g., referrer headers) without proven security risk.
  • Issues related to email spoofing, SPF, DMARC, or DKIM misconfigurations.
  • Content injection without the ability to modify HTML or execute scripts.
  • Username/email enumeration.
  • Email bombing.
  • HTTP request smuggling without proven impact.
  • Homograph attacks.
  • XMLRPC enabled.
  • Banner grabbing/version disclosure.
  • Not stripping metadata from files.
  • Same-site scripting.
  • Subdomain takeover without taking over the subdomain or exploiting it.
  • Arbitrary file upload without proof of execution or access.
  • Blind SSRF without proven business impact (e.g., pingbacks are insufficient).
  • Disclosed/misconfigured Google Maps API keys.
  • Host header injection without proven business impact.
  • Creating apps in the sandbox environment is allowed. However, if this is possible in production, it is considered a valid issue.

General

  • Previously known vulnerabilities reported through internal testing will be flagged as duplicates.
  • Theoretical security issues without a realistic exploit scenario.
  • Spam, social engineering, and physical intrusion.
  • DoS, DDoS attacks, or brute-force attacks.
  • Vulnerabilities affecting outdated software that is no longer supported.
  • Broken links in blog posts or outdated content that Uphold does not control.
  • Attacks requiring physical access to a victim’s device (e.g., MitM, compromised accounts).
  • Recently disclosed zero-day vulnerabilities in third-party software within 14 days of a patch release are generally not eligible for rewards.
  • Reports stating that software is outdated or vulnerable without a proof-of-concept (PoC).

AWS Specific

  • Publicly readable S3 buckets – Some of Uphold’s S3 buckets are intentionally public for caching static content.
  • Exceptions: If the S3 bucket contains personal data, private company files, or sensitive credentials, please report it.

Mobile

  • Shared links leaked via the system clipboard.
  • URIs leaked because a malicious app has permissions to view opened URIs.
  • Lack of certificate pinning.
  • Sensitive data in URLs/request bodies when protected by TLS.
  • Lack of obfuscation.
  • Path disclosure in binaries.
  • Self-XSS that cannot be used to exploit other users.
  • Lack of jailbreak & root detection.
  • Crashes due to malformed URL schemes.
  • Lack of binary protection (anti-debugging, SSL pinning, etc.).
  • Snapshot/Pasteboard leakage.
  • Exploits only possible in a jailbroken/rooted environment.
  • API key leakage used for non-sensitive actions.
  • Attacks requiring physical access to a victim’s device.
  • Attacks requiring the installation of malicious applications onto a victim’s device.
  • Attacks exploiting OS vulnerabilities (e.g., an attack specific to a certain Android/iOS version).

Known Issues

These issues were previously accepted but have been reported multiple times and are now considered duplicates. Future submissions of these issues will likely be marked as duplicate unless new impactful variations are demonstrated.

GraphQL Issues

  • GraphQL Batching attacks leading to DoS (Multiple reports across api.uphold.com and graphql.topperpay.com)
  • GraphQL Field Duplication attacks leading to DoS (Reported across different assets but already known and addressed)

Cache Poisoning & Web Exploits

  • Cache Poisoning (CPDoS) using X headers (Multiple reports affecting www.uphold.com/* and portal.enterprise.uphold.com)

Authentication & Account Security

  • Lack of rate limit on OTP passwordless login (Duplicate across multiple reports, already mitigated)

Information Disclosure

  • Transaction details disclosure without proven impact (Accepted once, then duplicated in later submissions)
  • Private IP disclosure without proven impact (Multiple duplicate reports found)
  • Sensitive Token in URL without proven impact (Duplicate reports received)

API Keys, Client Credentials & Cloud Services

  • Firebase details exposed but no proven impact (Reported across multiple assets, marked duplicate after initial acceptance).
  • API keys leaked on JS files without proven impact (Duplicate reports across cdn.uphold.com, blog.uphold.com, and wallet.uphold.com).
  • Client credentials disclosure in third-party repositories or search engines (e.g., VirusTotal, Pastebin, GitHub) that are not under Uphold’s control.
  • OAuth Client IDs exposed without associated secrets (Duplicate reports where no authentication risk was found).

This list is continuously updated to avoid unnecessary duplicates in the future and foster a better relationship with security researchers and ethical hackers. We appreciate your contributions in making our platform more secure and encourage meaningful, high-impact submissions.

Severity assessment

Uphold follows an impact-driven approach to vulnerability classification, ensuring consistent and fair evaluation of security reports. The severity of a vulnerability is determined by:

  1. Intigriti's contextual CVSS standard – Used as a baseline for technical risk assessment.
  2. Tier Matrix – The affected system’s criticality within Uphold’s architecture.
  3. Business Risk – The financial, operational, or reputational impact on Uphold and its users.
  4. Compliance Implications – Whether the vulnerability could lead to regulatory or legal consequences (e.g., GDPR, financial compliance issues).

Final severity classification and reward determination (bonus) are made at Uphold’s discretion. For vulnerabilities that require multiple chained exploits to achieve a significant impact, the report will be assessed holistically, and severity may be adjusted accordingly.

FAQ

1. Can I create sandbox accounts for testing?

Yes, researchers can request sandbox accounts for each application. Contact security@uphold.com to request one and explain the scenarios you are trying to test alongside with your @intigriti.me address.

2. How long does it take to review my report?

We aim to acknowledge reports within 48 hours. Triage and validation typically take up to 10 business days.
Resolution time depends on the severity, complexity of the vulnerability and the number of internal teams to talk to.

3. Can I publicly disclose a vulnerability I found?

No. Public disclosure is only permitted after receiving explicit written approval from the Uphold security team. Unauthorized disclosure may result in disqualification from the program.

4. Can I use automated vulnerability scanners?

No. Automated vulnerability scanning is prohibited in production environments to prevent service disruptions.

5. Are social engineering or phishing attacks allowed?

No. Social engineering, phishing, and other attacks targeting Uphold employees, users, or third-party providers are strictly prohibited.

6. Can I test against Uphold’s production systems?

You may test low-impact vulnerabilities in production to confirm the proof-of-concepts created in sandbox, but all high-risk testing (e.g., privilege escalation, authentication bypass) must be conducted in the sandbox and communicated to the Uphold team.

7. What happens if my report is a duplicate?

If the issue was previously reported, your report will be marked as a duplicate, the previous and no reward will be issued.
Before submitting, check our known issues list in the out-of-scope section to avoid submitting duplicates.

8. What should I do if I accidentally access sensitive data?

Stop all testing immediately.
Do not store, share, or modify the data.
Report the issue immediately via Intigriti.

9. Will I receive a reward for all valid reports?

Only vulnerabilities with demonstrable security impact are eligible for rewards. Best-practice violations, low-risk bugs, and issues that cannot be exploited will not be rewarded.

10. What should I include in my report?

A high-quality report should contain:

  • Clear title with [ASSET] - VULNERABILITY on FIELD/FUNCTION template. ([api.topperpay.com] - SQLInjection leading to user details exfiltration on getUserDetails)
  • Clear impact analysis – Why is this a security risk and what is the business/compliance impact?
  • Step-by-step reproduction steps – Detailed instructions with screenshots, logs, or proof-of-concept code.
  • Suggested fixes (if possible).
All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Overall stats
submissions received
N/A
average payout
€567
accepted submissions
N/A
total payouts
N/A
Last 90 day response times
avg. time first response
< 24 hours
avg. time to decide
+3 weeks
avg. time to triage
+3 weeks
Activity
3/24
Uphold.com
closed a submission
3/14
Uphold.com
closed a submission
3/13
logo
pent0ss
created a submission
3/13
Uphold.com
closed a submission
3/13
Uphold.com
accepted a submission
3/13
Uphold.com
closed a submission
3/13
logo
gaurav_7777
created a submission
3/13
logo
pent0ss
created a submission
3/13
Uphold.com
closed a submission
3/13
logo
shell0x
created a submission