[{"id":3713390,"new_policy":"# Introduction\nAffirm looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Response Times\nAffirm will make a best effort to meet our response targets for hackers participating in our program. And we’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Do not perform testing on Affirm employee accounts and internal tools.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n\n# Program Scope\nPlease note: Returnly has been descoped from the bug bounty program effective 4/12/2023. \n\n* **Web application** at https://sandbox.affirm.com/\n* **iOS application** at Crashlytics: com.affirm.internal.hackerone\n* **Android application** at Google Play Store: com.affirm.central.audit\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Brute force exploits.\n* Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a `X-Frame-Options` header set.\n* Missing security cookie attributes (`secure`, `httponly`, and `samesite`).\n* Unauthenticated/logout/login CSRF.\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Absence of rate limiting.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.\n* User enumeration of any kind (email ownership and timing attack).\n* Improper error handling unless proved in production environment.\n* Sender Policy Framework(SPF) or DomainKeys Identified Mail(DKIM) related findings.\n* Open redirection at `/redirect` endpoint with `redirect` parameter and at `/apps/affiliate/v1/generate-url` endpoint with `merchant_fallback_url` parameter.\n* (mobile) Lack of certificate pinning. The test apps are specifically built for testing environment, therefore there's no certificate pinning.\n* Missing client side check on virtual card loan amount (must be greater than $100 and less than $10000).\n* (mobile) Local access to user data when operating a rooted mobile device.\n* (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.\n\n# Affirm Testing Environment\n\n## iOS\n_The Affirm testing iOS app built for HackerOne is distributed through Crashlytics._ \n1. Download the testing iOS application by going to **https://appdistribution.firebase.dev/i/07fb2924d6938db2**. \n2. Use your iOS device to visit that link and initiate the download process. Please note, the testing app is distributed though Firebase, and you have to install Firebase and Affirm profiles on your testing iOS device.\n\n## Android\n_The Affirm Android testing app built for HackerOne is distributed through Google Play Store._ \n\n1. Download the testing Android application by joining the **affirmhackerone(https://groups.google.com/forum/#!forum/affirmhackerone)** Google Group. \n2. This Group is open to the public and once you join you can go to **https://play.google.com/apps/testing/com.affirm.central.audit** to initiate the downloading process. (The app is only available in the US region in Google Play. If the account you are using is not in the US region, we recommend you to register a new account for this testing, since Google only allows switching the region of the account once per year.)\n\n## To register an Affirm test user\n* Go to https://sandbox.affirm.com/, under “Sign Up”, enter the following information\n* First Name (any value, letter only ) \n* Last Name (any value, letter only)\n* Email address (any value, email format required) \n* Phone number (any value, but please REMEMBER it for login)\n* Date of birth (older than 18 please) \n* Last 4-digits of SSN (any value between 9500 and 9850, and the last 3 digits of the number sets the FICO credit score of the testing account)\n* Click “Create Account” to finish\n\n## To leverage an Affirm test user\n* Hit \"login\" in the web or mobile application.\n* Enter the phone number you registered (the test site will NOT send SMS, instead you use a hardcoded pin code shown below)\n* In the next step, use “123456” as the verification code, click “Verify”. \n\n## To use testing payments\nIf you don't have a valid testing payment, you can use the following test payments.\n\n## Testing credit card numbers\n\n\n| Issuer | Number |\n|------------------|---------------------|\n| Visa | 4242 4242 4242 4242 |\n| Master Card | 5555 5555 5555 4444 |\n| American Express | 3782 822463 10005 |\n### Testing ACH\n| Routing Number | Account Number |\n|------------------|---------------------|\n| 112200439 | 12345678 |\n\nThank you for helping keep Affirm and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-28T22:21:29.949Z"},{"id":3688552,"new_policy":"# Introduction\nAffirm looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Response Times\nAffirm will make a best effort to meet our response targets for hackers participating in our program. And we’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Do not perform testing on Affirm employee accounts and internal tools.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n\n# Program Scope\nPlease note: Returnly has been descoped from the bug bounty program effective 4/12/2023. \n\n* **Web application** at https://sandbox.affirm.com/\n* **iOS application** at Crashlytics: com.affirm.internal.hackerone\n* **Android application** at Google Play Store: com.affirm.central.audit\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Brute force exploits.\n* Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a `X-Frame-Options` header set.\n* Missing security cookie attributes (`secure`, `httponly`, and `samesite`).\n* Unauthenticated/logout/login CSRF.\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Absence of rate limiting.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.\n* User enumeration of any kind (email ownership and timing attack).\n* Improper error handling unless proved in production environment.\n* Sender Policy Framework(SPF) or DomainKeys Identified Mail(DKIM) related findings.\n* Open redirection at `/redirect` endpoint with `redirect` parameter and at `/apps/affiliate/v1/generate-url` endpoint with `merchant_fallback_url` parameter.\n* (mobile) Lack of certificate pinning. The test apps are specifically built for testing environment, therefore there's no certificate pinning.\n* Missing client side check on virtual card loan amount (must be greater than $100 and less than $10000).\n* (mobile) Local access to user data when operating a rooted mobile device.\n* (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.\n\n# Affirm Testing Environment\n\n## iOS\n_The Affirm testing iOS app built for HackerOne is distributed through Crashlytics._ \n1. Download the testing iOS application by going to **https://appdistribution.firebase.dev/i/07fb2924d6938db2**. \n2. Use your iOS device to visit that link and initiate the download process. Please note, the testing app is distributed though Firebase, and you have to install Firebase and Affirm profiles on your testing iOS device.\n\n## Android\n_The Affirm Android testing app built for HackerOne is distributed through Google Play Store._ \n\n1. Download the testing Android application by joining the **affirmhackerone(https://groups.google.com/forum/#!forum/affirmhackerone)** Google Group. \n2. This Group is open to the public and once you join you can go to **https://play.google.com/apps/testing/com.affirm.central.audit** to initiate the downloading process. (The app is only available in the US region in Google Play. If the account you are using is not in the US region, we recommend you to register a new account for this testing, since Google only allows switching the region of the account once per year.)\n\n## To register an Affirm test user\n* Go to https://sandbox.affirm.com/ or the mobile application, under “Sign Up”, enter the following information\n* First Name (any value, letter only ) \n* Last Name (any value, letter only)\n* Email address (any value, email format required) \n* Phone number (any value, but please REMEMBER it for login)\n* Date of birth (older than 18 please) \n* Last 4-digits of SSN (any value between 9500 and 9850, and the last 3 digits of the number sets the FICO credit score of the testing account)\n* Click “Create Account” to finish\n\n## To leverage an Affirm test user\n* Hit \"login\" in the web or mobile application.\n* Enter the phone number you registered (the test site will NOT send SMS, instead you use a hardcoded pin code shown below)\n* In the next step, use “1234” as the verification code, click “Verify”. \n\n## To use the testing checkout sites:\nYou can go to the following urls to simulate a checkout using the Affirm app.\n * Direct point-of-sale: https://direct-prod-sandbox.affirm-dev.com/\n * Virtual card: https://vcn-prod-sandbox.affirm-dev.com/\n\n## To use testing payments\nIf you don't have a valid testing payment, you can use the following test payments.\n\n## Testing credit card numbers\n\n\n| Issuer | Number |\n|------------------|---------------------|\n| Visa | 4242 4242 4242 4242 |\n| Master Card | 5555 5555 5555 4444 |\n| American Express | 3782 822463 10005 |\n### Testing ACH\n| Routing Number | Account Number |\n|------------------|---------------------|\n| 112200439 | 12345678 |\n\nNote that `https://direct-prod-sandbox.affirm-dev.com/` and `https://vcn-prod-sandbox.affirm-dev.com/` are example applications that demonstrate how our API works in the context of an integration. They are intentionally less secure and do not have any security attached to them. They are out of scope for bounties.\n\n## Scheduled maintenance window\nTwice every week on Mondays and Thursdays the above mentioned test sites will go through a maintenance period lasting ~30mins starting from 16:00 PM UTC (NOTE: User data in the app prior to the maintenance period won't persist once this completes)\n\nThank you for helping keep Affirm and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-02T18:37:25.094Z"},{"id":3686081,"new_policy":"# Introduction\nAffirm looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n# Response Times\nAffirm will make a best effort to meet our response targets for hackers participating in our program. And we’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Do not perform testing on Affirm employee accounts and internal tools.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n\n# Program Scope\nPlease note: Returnly has been descoped from the bug bounty program effective 4/12/2023. \n\n* **Web application** at https://hackerone.affirm-odin.com\n* **iOS application** at Crashlytics: com.affirm.internal.hackerone\n* **Android application** at Google Play Store: com.affirm.central.audit\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Brute force exploits.\n* Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a `X-Frame-Options` header set.\n* Missing security cookie attributes (`secure`, `httponly`, and `samesite`).\n* Unauthenticated/logout/login CSRF.\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Absence of rate limiting.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.\n* User enumeration of any kind (email ownership and timing attack).\n* Improper error handling unless proved in production environment.\n* Sender Policy Framework(SPF) or DomainKeys Identified Mail(DKIM) related findings.\n* Open redirection at `/redirect` endpoint with `redirect` parameter and at `/apps/affiliate/v1/generate-url` endpoint with `merchant_fallback_url` parameter.\n* (mobile) Lack of certificate pinning. The test apps are specifically built for testing environment, therefore there's no certificate pinning.\n* Missing client side check on virtual card loan amount (must be greater than $100 and less than $10000).\n* (mobile) Local access to user data when operating a rooted mobile device.\n* (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.\n\n# Affirm Testing Environment\n\n## iOS\n_The Affirm testing iOS app built for HackerOne is distributed through Crashlytics._ \n1. Download the testing iOS application by going to **https://appdistribution.firebase.dev/i/07fb2924d6938db2**. \n2. Use your iOS device to visit that link and initiate the download process. Please note, the testing app is distributed though Firebase, and you have to install Firebase and Affirm profiles on your testing iOS device.\n\n## Android\n_The Affirm Android testing app built for HackerOne is distributed through Google Play Store._ \n\n1. Download the testing Android application by joining the **affirmhackerone(https://groups.google.com/forum/#!forum/affirmhackerone)** Google Group. \n2. This Group is open to the public and once you join you can go to **https://play.google.com/apps/testing/com.affirm.central.audit** to initiate the downloading process. (The app is only available in the US region in Google Play. If the account you are using is not in the US region, we recommend you to register a new account for this testing, since Google only allows switching the region of the account once per year.)\n\n## To register an Affirm test user\n* Go to https://hackerone.affirm-odin.com/ or the mobile application, under “Sign Up”, enter the following information\n* First Name (any value, letter only ) \n* Last Name (any value, letter only)\n* Email address (any value, email format required) \n* Phone number (any value, but please REMEMBER it for login)\n* Date of birth (older than 18 please) \n* Last 4-digits of SSN (any value between 9500 and 9850, and the last 3 digits of the number sets the FICO credit score of the testing account)\n* Click “Create Account” to finish\n\n## To leverage an Affirm test user\n* Hit \"login\" in the web or mobile application.\n* Enter the phone number you registered (the test site will NOT send SMS, instead you use a hardcoded pin code shown below)\n* In the next step, use “1234” as the verification code, click “Verify”. \n\n## To use the testing checkout sites:\nYou can go to the following urls to simulate a checkout using the Affirm app.\n * Direct point-of-sale: https://direct-hackerone.affirm-odin.com/\n * Virtual card: https://vcn-hackerone.affirm-odin.com/\n\n## To use testing payments\nIf you don't have a valid testing payment, you can use the following test payments.\n\n## Testing credit card numbers\n\n\n| Issuer | Number |\n|------------------|---------------------|\n| Visa | 4242 4242 4242 4242 |\n| Master Card | 5555 5555 5555 4444 |\n| American Express | 3782 822463 10005 |\n### Testing ACH\n| Routing Number | Account Number |\n|------------------|---------------------|\n| 112200439 | 12345678 |\n\nNote that `https://direct-hackerone.affirm-odin.com/` and `https://vcn-hackerone.affirm-odin.com/` are example applications that demonstrate how our API works in the context of an integration. They are intentionally less secure and do not have any security attached to them. They are out of scope for bounties.\n\n## Scheduled maintenance window\nTwice every week on Mondays and Thursdays the above mentioned test sites will go through a maintenance period lasting ~30mins starting from 16:00 PM UTC (NOTE: User data in the app prior to the maintenance period won't persist once this completes)\n\nThank you for helping keep Affirm and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-04-12T18:59:37.606Z"},{"id":3685543,"new_policy":"# Introduction\nAffirm looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. The following Affirm subsidiaries are also managed through this program: Returnly.\n\n# Response Times\nAffirm will make a best effort to meet our response targets for hackers participating in our program. And we’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Do not perform testing on Affirm employee accounts and internal tools.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n\n# Program Scope\nPlease note: Returnly dashboard and return center environments have been updated to reflect the new environments in scope for testing. The returnly dev environments are no longer in-scope for testing effective 3/29/2023. \n\n* **Web application** at https://hackerone.affirm-odin.com\n* **Web application** at https://dashboard.returnly.com \u0026 https://TEST-STORE-SUBDOMAIN.returnly.com\n* **iOS application** at Crashlytics: com.affirm.internal.hackerone\n* **Android application** at Google Play Store: com.affirm.central.audit\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Brute force exploits.\n* Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a `X-Frame-Options` header set.\n* Missing security cookie attributes (`secure`, `httponly`, and `samesite`).\n* Unauthenticated/logout/login CSRF.\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Absence of rate limiting.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.\n* User enumeration of any kind (email ownership and timing attack).\n* Improper error handling unless proved in production environment.\n* Sender Policy Framework(SPF) or DomainKeys Identified Mail(DKIM) related findings.\n* Open redirection at `/redirect` endpoint with `redirect` parameter and at `/apps/affiliate/v1/generate-url` endpoint with `merchant_fallback_url` parameter.\n* (mobile) Lack of certificate pinning. The test apps are specifically built for testing environment, therefore there's no certificate pinning.\n* Missing client side check on virtual card loan amount (must be greater than $100 and less than $10000).\n* (mobile) Local access to user data when operating a rooted mobile device.\n* (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.\n\n# Affirm Testing Environment\n\n## iOS\n_The Affirm testing iOS app built for HackerOne is distributed through Crashlytics._ \n1. Download the testing iOS application by going to **https://appdistribution.firebase.dev/i/07fb2924d6938db2**. \n2. Use your iOS device to visit that link and initiate the download process. Please note, the testing app is distributed though Firebase, and you have to install Firebase and Affirm profiles on your testing iOS device.\n\n## Android\n_The Affirm Android testing app built for HackerOne is distributed through Google Play Store._ \n\n1. Download the testing Android application by joining the **affirmhackerone(https://groups.google.com/forum/#!forum/affirmhackerone)** Google Group. \n2. This Group is open to the public and once you join you can go to **https://play.google.com/apps/testing/com.affirm.central.audit** to initiate the downloading process. (The app is only available in the US region in Google Play. If the account you are using is not in the US region, we recommend you to register a new account for this testing, since Google only allows switching the region of the account once per year.)\n\n## To register an Affirm test user\n* Go to https://hackerone.affirm-odin.com/ or the mobile application, under “Sign Up”, enter the following information\n* First Name (any value, letter only ) \n* Last Name (any value, letter only)\n* Email address (any value, email format required) \n* Phone number (any value, but please REMEMBER it for login)\n* Date of birth (older than 18 please) \n* Last 4-digits of SSN (any value between 9500 and 9850, and the last 3 digits of the number sets the FICO credit score of the testing account)\n* Click “Create Account” to finish\n\n## To leverage an Affirm test user\n* Hit \"login\" in the web or mobile application.\n* Enter the phone number you registered (the test site will NOT send SMS, instead you use a hardcoded pin code shown below)\n* In the next step, use “1234” as the verification code, click “Verify”. \n\n## To use the testing checkout sites:\nYou can go to the following urls to simulate a checkout using the Affirm app.\n * Direct point-of-sale: https://direct-hackerone.affirm-odin.com/\n * Virtual card: https://vcn-hackerone.affirm-odin.com/\n\n## To use testing payments\nIf you don't have a valid testing payment, you can use the following test payments.\n\n## Testing credit card numbers\n\n\n| Issuer | Number |\n|------------------|---------------------|\n| Visa | 4242 4242 4242 4242 |\n| Master Card | 5555 5555 5555 4444 |\n| American Express | 3782 822463 10005 |\n### Testing ACH\n| Routing Number | Account Number |\n|------------------|---------------------|\n| 112200439 | 12345678 |\n\nNote that `https://direct-hackerone.affirm-odin.com/` and `https://vcn-hackerone.affirm-odin.com/` are example applications that demonstrate how our API works in the context of an integration. They are intentionally less secure and do not have any security attached to them. They are out of scope for bounties.\n\n## Scheduled maintenance window\nTwice every week on Mondays and Thursdays the above mentioned test sites will go through a maintenance period lasting ~30mins starting from 16:00 PM UTC (NOTE: User data in the app prior to the maintenance period won't persist once this completes)\n\n#Returnly Testing Environment\n1. Create a Shopify development store: https://help.shopify.com/en/partners/dashboard/managing-stores/development-stores.\n2. Once you have the store, install the Returnly test application by going to this URL: https://apps.shopify.com/returnly/ and clicking the “Add app” button.\n3. Complete the merchant onboarding flow, and a pick a subdomain for your Return Center.\n4. Create and mark test orders as fulfilled.\n5. Initiate a return for that product by going to: https://TEST-STORE-SUBDOMAIN.returnly.com (Replace TEST-STORE-SUBDOMAIN with your Shopify store subdomain.)\n\nThank you for helping keep Affirm and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-29T22:09:00.765Z"},{"id":3685534,"new_policy":"# Introduction\nAffirm looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. The following Affirm subsidiaries are also managed through this program: Returnly.\n\n# Response Times\nAffirm will make a best effort to meet our response targets for hackers participating in our program. And we’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Do not perform testing on Affirm employee accounts and internal tools.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n\n# Program Scope\n* **Web application** at https://hackerone.affirm-odin.com\n* **Web application** at https://dashboard.returnly.com \u0026 https://TEST-STORE-SUBDOMAIN.returnly.com\n* **iOS application** at Crashlytics: com.affirm.internal.hackerone\n* **Android application** at Google Play Store: com.affirm.central.audit\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Brute force exploits.\n* Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a `X-Frame-Options` header set.\n* Missing security cookie attributes (`secure`, `httponly`, and `samesite`).\n* Unauthenticated/logout/login CSRF.\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Absence of rate limiting.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.\n* User enumeration of any kind (email ownership and timing attack).\n* Improper error handling unless proved in production environment.\n* Sender Policy Framework(SPF) or DomainKeys Identified Mail(DKIM) related findings.\n* Open redirection at `/redirect` endpoint with `redirect` parameter and at `/apps/affiliate/v1/generate-url` endpoint with `merchant_fallback_url` parameter.\n* (mobile) Lack of certificate pinning. The test apps are specifically built for testing environment, therefore there's no certificate pinning.\n* Missing client side check on virtual card loan amount (must be greater than $100 and less than $10000).\n* (mobile) Local access to user data when operating a rooted mobile device.\n* (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.\n\n# Affirm Testing Environment\n\n## iOS\n_The Affirm testing iOS app built for HackerOne is distributed through Crashlytics._ \n1. Download the testing iOS application by going to **https://appdistribution.firebase.dev/i/07fb2924d6938db2**. \n2. Use your iOS device to visit that link and initiate the download process. Please note, the testing app is distributed though Firebase, and you have to install Firebase and Affirm profiles on your testing iOS device.\n\n## Android\n_The Affirm Android testing app built for HackerOne is distributed through Google Play Store._ \n\n1. Download the testing Android application by joining the **affirmhackerone(https://groups.google.com/forum/#!forum/affirmhackerone)** Google Group. \n2. This Group is open to the public and once you join you can go to **https://play.google.com/apps/testing/com.affirm.central.audit** to initiate the downloading process. (The app is only available in the US region in Google Play. If the account you are using is not in the US region, we recommend you to register a new account for this testing, since Google only allows switching the region of the account once per year.)\n\n## To register an Affirm test user\n* Go to https://hackerone.affirm-odin.com/ or the mobile application, under “Sign Up”, enter the following information\n* First Name (any value, letter only ) \n* Last Name (any value, letter only)\n* Email address (any value, email format required) \n* Phone number (any value, but please REMEMBER it for login)\n* Date of birth (older than 18 please) \n* Last 4-digits of SSN (any value between 9500 and 9850, and the last 3 digits of the number sets the FICO credit score of the testing account)\n* Click “Create Account” to finish\n\n## To leverage an Affirm test user\n* Hit \"login\" in the web or mobile application.\n* Enter the phone number you registered (the test site will NOT send SMS, instead you use a hardcoded pin code shown below)\n* In the next step, use “1234” as the verification code, click “Verify”. \n\n## To use the testing checkout sites:\nYou can go to the following urls to simulate a checkout using the Affirm app.\n * Direct point-of-sale: https://direct-hackerone.affirm-odin.com/\n * Virtual card: https://vcn-hackerone.affirm-odin.com/\n\n## To use testing payments\nIf you don't have a valid testing payment, you can use the following test payments.\n\n## Testing credit card numbers\n\n\n| Issuer | Number |\n|------------------|---------------------|\n| Visa | 4242 4242 4242 4242 |\n| Master Card | 5555 5555 5555 4444 |\n| American Express | 3782 822463 10005 |\n### Testing ACH\n| Routing Number | Account Number |\n|------------------|---------------------|\n| 112200439 | 12345678 |\n\nNote that `https://direct-hackerone.affirm-odin.com/` and `https://vcn-hackerone.affirm-odin.com/` are example applications that demonstrate how our API works in the context of an integration. They are intentionally less secure and do not have any security attached to them. They are out of scope for bounties.\n\n## Scheduled maintenance window\nTwice every week on Mondays and Thursdays the above mentioned test sites will go through a maintenance period lasting ~30mins starting from 16:00 PM UTC (NOTE: User data in the app prior to the maintenance period won't persist once this completes)\n\n#Returnly Testing Environment\n1. Create a Shopify development store: https://help.shopify.com/en/partners/dashboard/managing-stores/development-stores.\n2. Once you have the store, install the Returnly test application by going to this URL: https://apps.shopify.com/returnly/ and clicking the “Add app” button.\n3. Complete the merchant onboarding flow, and a pick a subdomain for your Return Center.\n4. Create and mark test orders as fulfilled.\n5. Initiate a return for that product by going to: https://TEST-STORE-SUBDOMAIN.returnly.com (Replace TEST-STORE-SUBDOMAIN with your Shopify store subdomain.)\n\nPlease note: Returnly dashboard and returnly center testing environments have been updated under Program Scope section. The returnly dev environments are no longer in-scope for testing effective 3/29/2023. \n\nThank you for helping keep Affirm and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-29T16:58:54.291Z"},{"id":3679804,"new_policy":"# Introduction\nAffirm looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. The following Affirm subsidiaries are also managed through this program: Returnly.\n\n# Response Times\nAffirm will make a best effort to meet our response targets for hackers participating in our program. And we’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Do not perform testing on Affirm employee accounts and internal tools.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n\n# Program Scope\n* **Web application** at https://hackerone.affirm-odin.com\n* **Web application** at https://dashboard.dev.return.ly \u0026 https://TEST-STORE-SUBDOMAIN.dev.return.ly\n* **iOS application** at Crashlytics: com.affirm.internal.hackerone\n* **Android application** at Google Play Store: com.affirm.central.audit\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Brute force exploits.\n* Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a `X-Frame-Options` header set.\n* Missing security cookie attributes (`secure`, `httponly`, and `samesite`).\n* Unauthenticated/logout/login CSRF.\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Absence of rate limiting.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.\n* User enumeration of any kind (email ownership and timing attack).\n* Improper error handling unless proved in production environment.\n* Sender Policy Framework(SPF) or DomainKeys Identified Mail(DKIM) related findings.\n* Open redirection at `/redirect` endpoint with `redirect` parameter and at `/apps/affiliate/v1/generate-url` endpoint with `merchant_fallback_url` parameter.\n* (mobile) Lack of certificate pinning. The test apps are specifically built for testing environment, therefore there's no certificate pinning.\n* Missing client side check on virtual card loan amount (must be greater than $100 and less than $10000).\n* (mobile) Local access to user data when operating a rooted mobile device.\n* (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.\n\n# Affirm Testing Environment\n\n## iOS\n_The Affirm testing iOS app built for HackerOne is distributed through Crashlytics._ \n1. Download the testing iOS application by going to **https://appdistribution.firebase.dev/i/07fb2924d6938db2**. \n2. Use your iOS device to visit that link and initiate the download process. Please note, the testing app is distributed though Firebase, and you have to install Firebase and Affirm profiles on your testing iOS device.\n\n## Android\n_The Affirm Android testing app built for HackerOne is distributed through Google Play Store._ \n\n1. Download the testing Android application by joining the **affirmhackerone(https://groups.google.com/forum/#!forum/affirmhackerone)** Google Group. \n2. This Group is open to the public and once you join you can go to **https://play.google.com/apps/testing/com.affirm.central.audit** to initiate the downloading process. (The app is only available in the US region in Google Play. If the account you are using is not in the US region, we recommend you to register a new account for this testing, since Google only allows switching the region of the account once per year.)\n\n## To register an Affirm test user\n* Go to https://hackerone.affirm-odin.com/ or the mobile application, under “Sign Up”, enter the following information\n* First Name (any value, letter only ) \n* Last Name (any value, letter only)\n* Email address (any value, email format required) \n* Phone number (any value, but please REMEMBER it for login)\n* Date of birth (older than 18 please) \n* Last 4-digits of SSN (any value between 9500 and 9850, and the last 3 digits of the number sets the FICO credit score of the testing account)\n* Click “Create Account” to finish\n\n## To leverage an Affirm test user\n* Hit \"login\" in the web or mobile application.\n* Enter the phone number you registered (the test site will NOT send SMS, instead you use a hardcoded pin code shown below)\n* In the next step, use “1234” as the verification code, click “Verify”. \n\n## To use the testing checkout sites:\nYou can go to the following urls to simulate a checkout using the Affirm app.\n * Direct point-of-sale: https://direct-hackerone.affirm-odin.com/\n * Virtual card: https://vcn-hackerone.affirm-odin.com/\n\n## To use testing payments\nIf you don't have a valid testing payment, you can use the following test payments.\n\n## Testing credit card numbers\n\n\n| Issuer | Number |\n|------------------|---------------------|\n| Visa | 4242 4242 4242 4242 |\n| Master Card | 5555 5555 5555 4444 |\n| American Express | 3782 822463 10005 |\n### Testing ACH\n| Routing Number | Account Number |\n|------------------|---------------------|\n| 112200439 | 12345678 |\n\nNote that `https://direct-hackerone.affirm-odin.com/` and `https://vcn-hackerone.affirm-odin.com/` are example applications that demonstrate how our API works in the context of an integration. They are intentionally less secure and do not have any security attached to them. They are out of scope for bounties.\n\n## Scheduled maintenance window\nTwice every week on Mondays and Thursdays the above mentioned test sites will go through a maintenance period lasting ~30mins starting from 16:00 PM UTC (NOTE: User data in the app prior to the maintenance period won't persist once this completes)\n\n#Returnly Testing Environment\n1. Create a Shopify development store: https://help.shopify.com/en/partners/dashboard/managing-stores/development-stores.\n2. Once you have the store, install the Returnly test application by going to this URL: https://apps.shopify.com/returnly/ and clicking the “Add app” button.\n3. Complete the merchant onboarding flow, and a pick a subdomain for your Return Center.\n4. Create and mark test orders as fulfilled.\n5. Initiate a return for that product by going to: https://TEST-STORE-SUBDOMAIN.dev.return.ly (Replace TEST-STORE-SUBDOMAIN with your Shopify store subdomain.)\n\nThank you for helping keep Affirm and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-11-10T16:57:33.400Z"},{"id":3679803,"new_policy":"# Introduction\nAffirm looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. The following Affirm subsidiaries are also managed through this program: Returnly.\n\n# Response Times\nAffirm will make a best effort to meet our response targets for hackers participating in our program. And we’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Do not perform testing on Affirm employee accounts and internal tools.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n\n# Program Scope\n* **Web application** at https://hackerone.affirm-odin.com\n* **Web application** at https://dashboard.dev.return.ly \u0026 https://TEST-STORE-SUBDOMAIN.dev.return.ly\n* **iOS application** at Crashlytics: com.affirm.internal.hackerone\n* **Android application** at Google Play Store: com.affirm.central.audit\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Brute force exploits.\n* Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a `X-Frame-Options` header set.\n* Missing security cookie attributes (`secure`, `httponly`, and `samesite`).\n* Unauthenticated/logout/login CSRF.\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Absence of rate limiting.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.\n* User enumeration of any kind (email ownership and timing attack).\n* Improper error handling unless proved in production environment.\n* Sender Policy Framework(SPF) or DomainKeys Identified Mail(DKIM) related findings.\n* Open redirection at `/redirect` endpoint with `redirect` parameter and at `/apps/affiliate/v1/generate-url` endpoint with `merchant_fallback_url` parameter.\n* (mobile) Lack of certificate pinning. The test apps are specifically built for testing environment, therefore there's no certificate pinning.\n* Missing client side check on virtual card loan amount (must be greater than $100 and less than $10000).\n* (mobile) Local access to user data when operating a rooted mobile device.\n* (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.\n\n# Affirm Testing Environment\n\n## iOS\n_The Affirm testing iOS app built for HackerOne is distributed through Crashlytics._ \n1. Download the testing iOS application by going to **https://appdistribution.firebase.dev/i/07fb2924d6938db2**. \n2. Use your iOS device to visit that link and initiate the download process. Please note, the testing app is distributed though Firebase, and you have to install Firebase and Affirm profiles on your testing iOS device.\n\n## Android\n_The Affirm Android testing app built for HackerOne is distributed through Google Play Store._ \n\n1. Download the testing Android application by joining the **affirmhackerone(https://groups.google.com/forum/#!forum/affirmhackerone)** Google Group. \n2. This Group is open to the public and once you join you can go to **https://play.google.com/apps/testing/com.affirm.central.audit** to initiate the downloading process. (The app is only available in the US region in Google Play. If the account you are using is not in the US region, we recommend you to register a new account for this testing, since Google only allows switching the region of the account once per year.)\n\n## To register an Affirm test user\n* Go to https://hackerone.affirm-odin.com/ or the mobile application, under “Sign Up”, enter the following information\n* First Name (any value, letter only ) \n* Last Name (any value, letter only)\n* Email address (any value, email format required) \n* Phone number (any value, but please REMEMBER it for login)\n* Date of birth (older than 18 please) \n* Last 4-digits of SSN (any value between 9500 and 9850, and the last 3 digits of the number sets the FICO credit score of the testing account)\n* Click “Create Account” to finish\n\n## To leverage an Affirm test user\n* Hit \"login\" in the web or mobile application.\n* Enter the phone number you registered (the test site will NOT send SMS, instead you use a hardcoded pin code shown below)\n* In the next step, use “1234” as the verification code, click “Verify”. \n\n## To use the testing checkout sites:\nYou can go to the following urls to simulate a checkout using the Affirm app.\n * Direct point-of-sale: https://direct-hackerone.affirm-odin.com/\n * Virtual card: https://vcn-hackerone.affirm-odin.com/\n\n## To use testing payments\nIf you don't have a valid testing payment, you can use the following test payments.\n\n## Testing credit card numbers\n\n\n| Issuer | Number |\n|------------------|---------------------|\n| Visa | 4242 4242 4242 4242 |\n| Master Card | 5555 5555 5555 4444 |\n| American Express | 3782 822463 10005 |\n### Testing ACH\n| Routing Number | Account Number |\n|------------------|---------------------|\n| 112200439 | 12345678 |\n\nNote that `https://direct-hackerone.affirm-odin.com/` and `https://vcn-hackerone.affirm-odin.com/` are example applications that demonstrate how our API works in the context of an integration. They are intentionally less secure and do not have any security attached to them. They are out of scope for bounties.\n\n## Scheduled maintenance window\nTwice every week on Mondays and Thursdays the above mentioned test sites will go through a maintenance period lasting ~30mins starting from 16:00 PM UTC (NOTE: User data in the app prior to the maintenance period won't persist once this completes)\n\n#Returnly Testing Environment\n1. Create a Shopify development store: https://help.shopify.com/en/partners/dashboard/managing-stores/development-stores.\n2. Once you have the store, install the Returnly test application by going to this URL: https://apps.shopify.com/returnly/ and clicking the “Add app” button.\n3. Complete the merchant onboarding flow, and a pick a subdomain for your Return Center.\n4. Create and mark test orders as fulfilled.\n5. Initiate a return for that product by going to: https://TEST-STORE-SUBDOMAIN.dev.return.ly\n\nThank you for helping keep Affirm and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-11-10T16:55:05.546Z"},{"id":3668650,"new_policy":"# Introduction\nAffirm looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. The following Affirm subsidiaries are also managed through this program: Returnly.\n\n# Response Times\nAffirm will make a best effort to meet our response targets for hackers participating in our program. And we’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Do not perform testing on Affirm employee accounts and internal tools.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n\n# Program Scope\n* **Web application** at https://hackerone.affirm-odin.com\n* **Web application** at https://dashboard.dev.return.ly \u0026 https://TEST-STORE-SUBDOMAIN.dev.return.ly\n* **iOS application** at Crashlytics: com.affirm.internal.hackerone\n* **Android application** at Google Play Store: com.affirm.central.audit\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Brute force exploits.\n* Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a `X-Frame-Options` header set.\n* Missing security cookie attributes (`secure`, `httponly`, and `samesite`).\n* Unauthenticated/logout/login CSRF.\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Absence of rate limiting.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.\n* User enumeration of any kind (email ownership and timing attack).\n* Improper error handling unless proved in production environment.\n* Sender Policy Framework(SPF) or DomainKeys Identified Mail(DKIM) related findings.\n* Open redirection at `/redirect` endpoint with `redirect` parameter and at `/apps/affiliate/v1/generate-url` endpoint with `merchant_fallback_url` parameter.\n* (mobile) Lack of certificate pinning. The test apps are specifically built for testing environment, therefore there's no certificate pinning.\n* Missing client side check on virtual card loan amount (must be greater than $100 and less than $10000).\n* (mobile) Local access to user data when operating a rooted mobile device.\n* (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.\n\n# Affirm Testing Environment\n\n## iOS\n_The Affirm testing iOS app built for HackerOne is distributed through Crashlytics._ \n1. Download the testing iOS application by going to **https://appdistribution.firebase.dev/i/07fb2924d6938db2**. \n2. Use your iOS device to visit that link and initiate the download process. Please note, the testing app is distributed though Firebase, and you have to install Firebase and Affirm profiles on your testing iOS device.\n\n## Android\n_The Affirm Android testing app built for HackerOne is distributed through Google Play Store._ \n\n1. Download the testing Android application by joining the **affirmhackerone(https://groups.google.com/forum/#!forum/affirmhackerone)** Google Group. \n2. This Group is open to the public and once you join you can go to **https://play.google.com/apps/testing/com.affirm.central.audit** to initiate the downloading process. (The app is only available in the US region in Google Play. If the account you are using is not in the US region, we recommend you to register a new account for this testing, since Google only allows switching the region of the account once per year.)\n\n## To register an Affirm test user\n* Go to https://hackerone.affirm-odin.com/ or the mobile application, under “Sign Up”, enter the following information\n* First Name (any value, letter only ) \n* Last Name (any value, letter only)\n* Email address (any value, email format required) \n* Phone number (any value, but please REMEMBER it for login)\n* Date of birth (older than 18 please) \n* Last 4-digits of SSN (any value between 9500 and 9850, and the last 3 digits of the number sets the FICO credit score of the testing account)\n* Click “Create Account” to finish\n\n## To leverage an Affirm test user\n* Hit \"login\" in the web or mobile application.\n* Enter the phone number you registered (the test site will NOT send SMS, instead you use a hardcoded pin code shown below)\n* In the next step, use “1234” as the verification code, click “Verify”. \n\n## To use the testing checkout sites:\nYou can go to the following urls to simulate a checkout using the Affirm app.\n * Direct point-of-sale: https://direct-hackerone.affirm-odin.com/\n * Virtual card: https://vcn-hackerone.affirm-odin.com/\n\n## To use testing payments\nIf you don't have a valid testing payment, you can use the following test payments.\n\n## Testing credit card numbers\n\n\n| Issuer | Number |\n|------------------|---------------------|\n| Visa | 4242 4242 4242 4242 |\n| Master Card | 5555 5555 5555 4444 |\n| American Express | 3782 822463 10005 |\n### Testing ACH\n| Routing Number | Account Number |\n|------------------|---------------------|\n| 112200439 | 12345678 |\n\nNote that `https://direct-hackerone.affirm-odin.com/` and `https://vcn-hackerone.affirm-odin.com/` are example applications that demonstrate how our API works in the context of an integration. They are intentionally less secure and do not have any security attached to them. They are out of scope for bounties.\n\n## Scheduled maintenance window\nTwice every week on Mondays and Thursdays the above mentioned test sites will go through a maintenance period lasting ~30mins starting from 16:00 PM UTC (NOTE: User data in the app prior to the maintenance period won't persist once this completes)\n\n#Returnly Testing Environment\n1. Create a Shopify development store: \nhttps://help.shopify.com/en/partners/dashboard/managing-stores/development-stores\n2. Once you have the store, install the Returnly test application by going to this URL: \nhttp://dashboard.dev.return.ly/auth/shopify?shop=TEST-STORE-SUBDOMAIN.myshopify.com. (Replace TEST-STORE-SUBDOMAIN with your Shopify store subdomain.)\n3. Complete the merchant onboarding flow, and a pick a subdomain for your Return Center\n4. Create and mark test orders as fulfilled\n5. Initiate a return for that product by going to: https://TEST-STORE-SUBDOMAIN.dev.return.ly\n\n\nThank you for helping keep Affirm and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-03-29T20:48:36.462Z"},{"id":3668649,"new_policy":"# Introduction\nAffirm looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. The following Affirm subsidiaries are also managed through this program: Returnly.\n\n# Response Times\nAffirm will make a best effort to meet our response targets for hackers participating in our program. And we’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Do not perform testing on Affirm employee accounts and internal tools.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n\n# Program Scope\n* **Web application** at https://hackerone.affirm-odin.com\n* **Web application** at https://dashboard.dev.return.ly \u0026 https://TEST-STORE-SUBDOMAIN.dev.return.ly\n* **iOS application** at Crashlytics: com.affirm.internal.hackerone\n* **Android application** at Google Play Store: com.affirm.central.audit\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Brute force exploits.\n* Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a `X-Frame-Options` header set.\n* Missing security cookie attributes (`secure`, `httponly`, and `samesite`).\n* Unauthenticated/logout/login CSRF.\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Absence of rate limiting.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.\n* User enumeration of any kind (email ownership and timing attack).\n* Improper error handling unless proved in production environment.\n* Sender Policy Framework(SPF) or DomainKeys Identified Mail(DKIM) related findings.\n* Open redirection at `/redirect` endpoint with `redirect` parameter and at `/apps/affiliate/v1/generate-url` endpoint with `merchant_fallback_url` parameter.\n* (mobile) Lack of certificate pinning. The test apps are specifically built for testing environment, therefore there's no certificate pinning.\n* Missing client side check on virtual card loan amount (must be greater than $100 and less than $10000).\n* (mobile) Local access to user data when operating a rooted mobile device.\n* (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.\n\n# Affirm Testing Environment\n\n## iOS\n_The Affirm testing iOS app built for HackerOne is distributed through Crashlytics._ \n1. Download the testing iOS application by going to **https://appdistribution.firebase.dev/i/07fb2924d6938db2**. \n2. Use your iOS device to visit that link and initiate the download process. Please note, the testing app is distributed though Firebase, and you have to install Firebase and Affirm profiles on your testing iOS device.\n\n## Android\n_The Affirm Android testing app built for HackerOne is distributed through Google Play Store._ \n\n1. Download the testing Android application by joining the **affirmhackerone(https://groups.google.com/forum/#!forum/affirmhackerone)** Google Group. \n2. This Group is open to the public and once you join you can go to **https://play.google.com/apps/testing/com.affirm.central.audit** to initiate the downloading process. (The app is only available in the US region in Google Play. If the account you are using is not in the US region, we recommend you to register a new account for this testing, since Google only allows switching the region of the account once per year.)\n\n## To register an Affirm test user\n* Go to https://hackerone.affirm-odin.com/ or the mobile application, under “Sign Up”, enter the following information\n* First Name (any value, letter only ) \n* Last Name (any value, letter only)\n* Email address (any value, email format required) \n* Phone number (any value, but please REMEMBER it for login)\n* Date of birth (older than 18 please) \n* Last 4-digits of SSN (any value between 9500 and 9850, and the last 3 digits of the number sets the FICO credit score of the testing account)\n* Click “Create Account” to finish\n\n## To leverage an Affirm test user\n* Hit \"login\" in the web or mobile application.\n* Enter the phone number you registered (the test site will NOT send SMS, instead you use a hardcoded pin code shown below)\n* In the next step, use “1234” as the verification code, click “Verify”. \n\n## To use the testing checkout sites:\nYou can go to the following urls to simulate a checkout using the Affirm app.\n * Direct point-of-sale: https://direct-hackerone.affirm-odin.com/\n * Virtual card: https://vcn-hackerone.affirm-odin.com/\n\n## To use testing payments\nIf you don't have a valid testing payment, you can use the following test payments.\n\n## Testing credit card numbers\n\n\n| Issuer | Number |\n|------------------|---------------------|\n| Visa | 4242 4242 4242 4242 |\n| Master Card | 5555 5555 5555 4444 |\n| American Express | 3782 822463 10005 |\n### Testing ACH\n| Routing Number | Account Number |\n|------------------|---------------------|\n| 112200439 | 12345678 |\n\nNote that `https://direct-hackerone.affirm-odin.com/` and `https://vcn-hackerone.affirm-odin.com/` are example applications that demonstrate how our API works in the context of an integration. They are intentionally less secure and do not have any security attached to them. They are out of scope for bounties.\n\n## Scheduled maintenance window\nTwice every week on Mondays and Thursdays the above mentioned test sites will go through a maintenance period lasting ~30mins starting from 16:00 PM UTC (NOTE: User data in the app prior to the maintenance period won't persist once this completes)\n\n#Returnly Testing Environment\n\n## Install Shopify Testing App\n1. Create a Shopify development store: \nhttps://help.shopify.com/en/partners/dashboard/managing-stores/development-stores\n2. Once you have the store, install the Returnly test application by going to this URL: \nhttp://dashboard.dev.return.ly/auth/shopify?shop=TEST-STORE-SUBDOMAIN.myshopify.com. (Replace TEST-STORE-SUBDOMAIN with your Shopify store subdomain.)\n * Complete the merchant onboarding flow, and a pick a subdomain for your Return Center\n * Create and mark test orders as fulfilled\n * Initiate a return for that product by going to: https://TEST-STORE-SUBDOMAIN.dev.return.ly\n\n\nThank you for helping keep Affirm and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-03-29T20:47:33.536Z"},{"id":3668648,"new_policy":"# Introduction\nAffirm looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. The following Affirm subsidiaries are also managed through this program: Returnly.\n\n# Response Times\nAffirm will make a best effort to meet our response targets for hackers participating in our program. And we’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Do not perform testing on Affirm employee accounts and internal tools.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n\n# Program Scope\n* **Web application** at https://hackerone.affirm-odin.com\n* **Web application** at https://dashboard.dev.return.ly \u0026 https://TEST-STORE-SUBDOMAIN.dev.return.ly\n* **iOS application** at Crashlytics: com.affirm.internal.hackerone\n* **Android application** at Google Play Store: com.affirm.central.audit\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Brute force exploits.\n* Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a `X-Frame-Options` header set.\n* Missing security cookie attributes (`secure`, `httponly`, and `samesite`).\n* Unauthenticated/logout/login CSRF.\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Absence of rate limiting.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.\n* User enumeration of any kind (email ownership and timing attack).\n* Improper error handling unless proved in production environment.\n* Sender Policy Framework(SPF) or DomainKeys Identified Mail(DKIM) related findings.\n* Open redirection at `/redirect` endpoint with `redirect` parameter and at `/apps/affiliate/v1/generate-url` endpoint with `merchant_fallback_url` parameter.\n* (mobile) Lack of certificate pinning. The test apps are specifically built for testing environment, therefore there's no certificate pinning.\n* Missing client side check on virtual card loan amount (must be greater than $100 and less than $10000).\n* (mobile) Local access to user data when operating a rooted mobile device.\n* (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.\n\n# Affirm Testing Environment\n\n## iOS\n_The Affirm testing iOS app built for HackerOne is distributed through Crashlytics._ \n1. Download the testing iOS application by going to **https://appdistribution.firebase.dev/i/07fb2924d6938db2**. \n2. Use your iOS device to visit that link and initiate the download process. Please note, the testing app is distributed though Firebase, and you have to install Firebase and Affirm profiles on your testing iOS device.\n\n## Android\n_The Affirm Android testing app built for HackerOne is distributed through Google Play Store._ \n\n1. Download the testing Android application by joining the **affirmhackerone(https://groups.google.com/forum/#!forum/affirmhackerone)** Google Group. \n2. This Group is open to the public and once you join you can go to **https://play.google.com/apps/testing/com.affirm.central.audit** to initiate the downloading process. (The app is only available in the US region in Google Play. If the account you are using is not in the US region, we recommend you to register a new account for this testing, since Google only allows switching the region of the account once per year.)\n\n## To register an Affirm test user\n* Go to https://hackerone.affirm-odin.com/ or the mobile application, under “Sign Up”, enter the following information\n* First Name (any value, letter only ) \n* Last Name (any value, letter only)\n* Email address (any value, email format required) \n* Phone number (any value, but please REMEMBER it for login)\n* Date of birth (older than 18 please) \n* Last 4-digits of SSN (any value between 9500 and 9850, and the last 3 digits of the number sets the FICO credit score of the testing account)\n* Click “Create Account” to finish\n\n## To leverage an Affirm test user\n* Hit \"login\" in the web or mobile application.\n* Enter the phone number you registered (the test site will NOT send SMS, instead you use a hardcoded pin code shown below)\n* In the next step, use “1234” as the verification code, click “Verify”. \n\n## To use the testing checkout sites:\nYou can go to the following urls to simulate a checkout using the Affirm app.\n * Direct point-of-sale: https://direct-hackerone.affirm-odin.com/\n * Virtual card: https://vcn-hackerone.affirm-odin.com/\n\n## To use testing payments\nIf you don't have a valid testing payment, you can use the following test payments.\n\n## Testing credit card numbers\n\n\n| Issuer | Number |\n|------------------|---------------------|\n| Visa | 4242 4242 4242 4242 |\n| Master Card | 5555 5555 5555 4444 |\n| American Express | 3782 822463 10005 |\n### Testing ACH\n| Routing Number | Account Number |\n|------------------|---------------------|\n| 112200439 | 12345678 |\n\nNote that `https://direct-hackerone.affirm-odin.com/` and `https://vcn-hackerone.affirm-odin.com/` are example applications that demonstrate how our API works in the context of an integration. They are intentionally less secure and do not have any security attached to them. They are out of scope for bounties.\n\n## Scheduled maintenance window\nTwice every week on Mondays and Thursdays the above mentioned test sites will go through a maintenance period lasting ~30mins starting from 16:00 PM UTC (NOTE: User data in the app prior to the maintenance period won't persist once this completes)\n\n#Returnly Testing Environment\n\n## Install Shopify Testing App\n1. Create a Shopify development store: \nhttps://help.shopify.com/en/partners/dashboard/managing-stores/development-stores\n2. Once you have the store, install the Returnly test application by going to this URL: \nhttp://dashboard.dev.return.ly/auth/shopify?shop=TEST-STORE-SUBDOMAIN.myshopify.com. (Replace TEST-STORE-SUBDOMAIN with your Shopify store subdomain.)\n*Complete the merchant onboarding flow, and a pick a subdomain for your Return Center\n*Create and mark test orders as fulfilled\n*Initiate a return for that product by going to: https://TEST-STORE-SUBDOMAIN.dev.return.ly\n\n\nThank you for helping keep Affirm and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-03-29T20:46:37.849Z"},{"id":3668646,"new_policy":"# Introduction\nAffirm looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. The following Affirm subsidiaries are also managed through this program: Returnly.\n\n# Response Times\nAffirm will make a best effort to meet our response targets for hackers participating in our program. And we’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Do not perform testing on Affirm employee accounts and internal tools.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n\n# Program Scope\n* **Web application** at hackerone.affirm-odin.com\n* **Web application** at dashboard.dev.return.ly \u0026 TEST-STORE-SUBDOMAIN.dev.return.ly\n* **iOS application** at Crashlytics: com.affirm.internal.hackerone\n* **Android application** at Google Play Store: com.affirm.central.audit\n* **Affirm resources hosted on other third-party services**\n\n## Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Brute force exploits.\n* Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a `X-Frame-Options` header set.\n* Missing security cookie attributes (`secure`, `httponly`, and `samesite`).\n* Unauthenticated/logout/login CSRF.\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Absence of rate limiting.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.\n* User enumeration of any kind (email ownership and timing attack).\n* Improper error handling unless proved in production environment.\n* Sender Policy Framework(SPF) or DomainKeys Identified Mail(DKIM) related findings.\n* Open redirection at `/redirect` endpoint with `redirect` parameter and at `/apps/affiliate/v1/generate-url` endpoint with `merchant_fallback_url` parameter.\n* (mobile) Lack of certificate pinning. The test apps are specifically built for testing environment, therefore there's no certificate pinning.\n* Missing client side check on virtual card loan amount (must be greater than $100 and less than $10000).\n* (mobile) Local access to user data when operating a rooted mobile device.\n* (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.\n\n# Downloading Mobile Testing Apps\n\n## iOS\n_The Affirm testing iOS app built for HackerOne is distributed through Crashlytics._ \n1. Download the testing iOS application by going to **https://appdistribution.firebase.dev/i/07fb2924d6938db2**. \n2. Use your iOS device to visit that link and initiate the download process. Please note, the testing app is distributed though Firebase, and you have to install Firebase and Affirm profiles on your testing iOS device.\n\n## Android\n_The Affirm Android testing app built for HackerOne is distributed through Google Play Store._ \n\n1. Download the testing Android application by joining the **affirmhackerone(https://groups.google.com/forum/#!forum/affirmhackerone)** Google Group. \n2. This Group is open to the public and once you join you can go to **https://play.google.com/apps/testing/com.affirm.central.audit** to initiate the downloading process. (The app is only available in the US region in Google Play. If the account you are using is not in the US region, we recommend you to register a new account for this testing, since Google only allows switching the region of the account once per year.)\n\n\n# Test User Creation and Usage\n\n## To register a test user\n* Go to https://hackerone.affirm-odin.com/ or the mobile application, under “Sign Up”, enter the following information\n* First Name (any value, letter only ) \n* Last Name (any value, letter only)\n* Email address (any value, email format required) \n* Phone number (any value, but please REMEMBER it for login)\n* Date of birth (older than 18 please) \n* Last 4-digits of SSN (any value between 9500 and 9850, and the last 3 digits of the number sets the FICO credit score of the testing account)\n* Click “Create Account” to finish\n\n## To use the user\n* Hit \"login\" in the web or mobile application.\n* Enter the phone number you registered (the test site will NOT send SMS, instead you use a hardcoded pin code shown below)\n* In the next step, use “1234” as the verification code, click “Verify”. \n\n## To use the testing checkout sites:\nYou can go to the following urls to simulate a checkout using the Affirm app.\n * Direct point-of-sale: https://direct-hackerone.affirm-odin.com/\n * Virtual card: https://vcn-hackerone.affirm-odin.com/\n\n## To use testing payments\nIf you don't have a valid testing payment, you can use the following test payments.\n\n## Testing credit card numbers\n\n\n| Issuer | Number |\n|------------------|---------------------|\n| Visa | 4242 4242 4242 4242 |\n| Master Card | 5555 5555 5555 4444 |\n| American Express | 3782 822463 10005 |\n### Testing ACH\n| Routing Number | Account Number |\n|------------------|---------------------|\n| 112200439 | 12345678 |\n\nNote that `https://direct-hackerone.affirm-odin.com/` and `https://vcn-hackerone.affirm-odin.com/` are example applications that demonstrate how our API works in the context of an integration. They are intentionally less secure and do not have any security attached to them. They are out of scope for bounties.\n\n## Scheduled maintenance window\nTwice every week on Mondays and Thursdays the above mentioned test sites will go through a maintenance period lasting ~30mins starting from 16:00 PM UTC (NOTE: User data in the app prior to the maintenance period won't persist once this completes)\n\nThank you for helping keep Affirm and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-03-29T20:39:00.384Z"},{"id":3660169,"new_policy":"Affirm looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Times\nAffirm will make a best effort to meet our response targets for hackers participating in our program. And we’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Do not perform testing on Affirm employee accounts and internal tools.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n\n# Program Scope\n* **Web application** at http://hackerone.affirm-odin.com/\n* **iOS application** at Crashlytics: com.affirm.internal.hackerone\n* **Android application** at Google Play Store: com.affirm.central.audit\n* **Affirm resources hosted on other third-party services**\n\n## Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Brute force exploits.\n* Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a `X-Frame-Options` header set.\n* Missing security cookie attributes (`secure`, `httponly`, and `samesite`).\n* Unauthenticated/logout/login CSRF.\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Absence of rate limiting.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.\n* User enumeration of any kind (email ownership and timing attack).\n* Improper error handling unless proved in production environment.\n* Sender Policy Framework(SPF) or DomainKeys Identified Mail(DKIM) related findings.\n* Open redirection at `/redirect` endpoint with `redirect` parameter and at `/apps/affiliate/v1/generate-url` endpoint with `merchant_fallback_url` parameter.\n* (mobile) Lack of certificate pinning. The test apps are specifically built for testing environment, therefore there's no certificate pinning.\n* Missing client side check on virtual card loan amount (must be greater than $100 and less than $10000).\n* (mobile) Local access to user data when operating a rooted mobile device.\n* (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.\n\n# Downloading Mobile Testing Apps\n\n## iOS\n_The Affirm testing iOS app built for HackerOne is distributed through Crashlytics._ \n1. Download the testing iOS application by going to **https://appdistribution.firebase.dev/i/07fb2924d6938db2**. \n2. Use your iOS device to visit that link and initiate the download process. Please note, the testing app is distributed though Firebase, and you have to install Firebase and Affirm profiles on your testing iOS device.\n\n## Android\n_The Affirm Android testing app built for HackerOne is distributed through Google Play Store._ \n\n1. Download the testing Android application by joining the **affirmhackerone(https://groups.google.com/forum/#!forum/affirmhackerone)** Google Group. \n2. This Group is open to the public and once you join you can go to **https://play.google.com/apps/testing/com.affirm.central.audit** to initiate the downloading process. (The app is only available in the US region in Google Play. If the account you are using is not in the US region, we recommend you to register a new account for this testing, since Google only allows switching the region of the account once per year.)\n\n\n# Test User Creation and Usage\n\n## To register a test user\n* Go to https://hackerone.affirm-odin.com/ or the mobile application, under “Sign Up”, enter the following information\n* First Name (any value, letter only ) \n* Last Name (any value, letter only)\n* Email address (any value, email format required) \n* Phone number (any value, but please REMEMBER it for login)\n* Date of birth (older than 18 please) \n* Last 4-digits of SSN (any value between 9500 and 9850, and the last 3 digits of the number sets the FICO credit score of the testing account)\n* Click “Create Account” to finish\n\n## To use the user\n* Hit \"login\" in the web or mobile application.\n* Enter the phone number you registered (the test site will NOT send SMS, instead you use a hardcoded pin code shown below)\n* In the next step, use “1234” as the verification code, click “Verify”. \n\n## To use the testing checkout sites:\nYou can go to the following urls to simulate a checkout using the Affirm app.\n * Direct point-of-sale: https://direct-hackerone.affirm-odin.com/\n * Virtual card: https://vcn-hackerone.affirm-odin.com/\n\n## To use testing payments\nIf you don't have a valid testing payment, you can use the following test payments.\n\n## Testing credit card numbers\n\n\n| Issuer | Number |\n|------------------|---------------------|\n| Visa | 4242 4242 4242 4242 |\n| Master Card | 5555 5555 5555 4444 |\n| American Express | 3782 822463 10005 |\n### Testing ACH\n| Routing Number | Account Number |\n|------------------|---------------------|\n| 112200439 | 12345678 |\n\nNote that `https://direct-hackerone.affirm-odin.com/` and `https://vcn-hackerone.affirm-odin.com/` are example applications that demonstrate how our API works in the context of an integration. They are intentionally less secure and do not have any security attached to them. They are out of scope for bounties.\n\n## Scheduled maintenance window\nTwice every week on Mondays and Thursdays the above mentioned test sites will go through a maintenance period lasting ~30mins starting from 16:00 PM UTC (NOTE: User data in the app prior to the maintenance period won't persist once this completes)\n\nThank you for helping keep Affirm and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-10-18T21:11:59.771Z"},{"id":3651899,"new_policy":"Affirm looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Times\nAffirm will make a best effort to meet our response targets for hackers participating in our program. And we’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Do not perform testing on Affirm employee accounts and internal tools.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n\n# Program Scope\n* **Web application** at http://hackerone.affirm-odin.com/\n* **iOS application** at Crashlytics: com.affirm.internal.hackerone\n* **Android application** at Google Play Store: com.affirm.central.audit\n* **Affirm resources hosted on other third-party services**\n\n## Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Brute force exploits.\n* Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a `X-Frame-Options` header set.\n* Missing security cookie attributes (`secure`, `httponly`, and `samesite`).\n* Unauthenticated/logout/login CSRF.\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Absence of rate limiting.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.\n* User enumeration of any kind (email ownership and timing attack).\n* Improper error handling unless proved in production environment.\n* Sender Policy Framework(SPF) or DomainKeys Identified Mail(DKIM) related findings.\n* Open redirection at `/redirect` endpoint with `redirect` parameter and at `/apps/affiliate/v1/generate-url` endpoint with `merchant_fallback_url` parameter.\n* (mobile) Lack of certificate pinning. The test apps are specifically built for testing environment, therefore there's no certificate pinning.\n* Missing client side check on virtual card loan amount (must be greater than $100 and less than $10000).\n* (mobile) Local access to user data when operating a rooted mobile device.\n* (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.\n\n# Downloading Mobile Testing Apps\n\n## iOS\n_The Affirm testing iOS app built for HackerOne is distributed through Crashlytics._ \n1. Download the testing iOS application by going to **https://appdistribution.firebase.dev/i/07fb2924d6938db2**. \n2. Use your iOS device to visit that link and initiate the download process. Please note, the testing app is distributed though Firebase, and you have to install Firebase and Affirm profiles on your testing iOS device.\n\n## Android\n_The Affirm Android testing app built for HackerOne is distributed through Google Play Store._ \n\n1. Download the testing Android application by joining the **affirmhackerone(https://groups.google.com/forum/#!forum/affirmhackerone)** Google Group. \n2. This Group is open to the public and once you join you can go to **https://play.google.com/apps/testing/com.affirm.central.audit** to initiate the downloading process. (The app is only available in the US region in Google Play. If the account you are using is not in the US region, we recommend you to register a new account for this testing, since Google only allows switching the region of the account once per year.)\n\n\n# Test User Creation and Usage\n\n## To register a test user\n* Go to https://hackerone.affirm-odin.com/ or the mobile application, under “Sign Up”, enter the following information\n* First Name (any value, letter only ) \n* Last Name (any value, letter only)\n* Email address (any value, email format required) \n* Phone number (any value, but please REMEMBER it for login)\n* Date of birth (older than 18 please) \n* Last 4-digits of SSN (any value between 9500 and 9850, and the last 3 digits of the number sets the FICO credit score of the testing account)\n* Click “Create Account” to finish\n\n## To use the user\n* Hit \"login\" in the web or mobile application.\n* Enter the phone number you registered (the test site will NOT send SMS, instead you use a hardcoded pin code shown below)\n* In the next step, use “1234” as the verification code, click “Verify”. \n\n## To use the testing checkout sites:\nYou can go to the following urls to simulate a checkout using the Affirm app.\n * Direct point-of-sale: https://direct-hackerone.affirm-odin.com/\n * Virtual card: https://vcn-hackerone.affirm-odin.com/\n\n## To use testing payments\nIf you don't have a valid testing payment, you can use the following test payments.\n\n## Testing credit card numbers\n\n\n| Issuer | Number |\n|------------------|---------------------|\n| Visa | 4242 4242 4242 4242 |\n| Master Card | 5555 5555 5555 4444 |\n| American Express | 3782 822463 10005 |\n### Testing ACH\n| Routing Number | Account Number |\n|------------------|---------------------|\n| 112200439 | 12345678 |\n\nNote that `https://direct-hackerone.affirm-odin.com/` and `https://vcn-hackerone.affirm-odin.com/` are example applications that demonstrate how our API works in the context of an integration. They are intentionally less secure and do not have any security attached to them. They are out of scope for bounties.\n\n## Scheduled maintenance window\nEvery week on Sundays the above mentioned test sites will go through a maintenance period lasting ~30mins starting from 12:00 PM UTC (NOTE: User data in the app prior to the maintenance period won't persist once this completes)\n\nThank you for helping keep Affirm and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-05-04T19:01:46.717Z"},{"id":3650111,"new_policy":"Affirm looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Times\nAffirm will make a best effort to meet our response targets for hackers participating in our program. And we’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Do not perform testing on Affirm employee accounts and internal tools.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n\n# Program Scope\n* **Web application** at http://hackerone.affirm-odin.com/\n* **iOS application** at Crashlytics: com.affirm.internal.hackerone\n* **Android application** at Google Play Store: com.affirm.central.audit\n\n## Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Brute force exploits.\n* Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a `X-Frame-Options` header set.\n* Missing security cookie attributes (`secure`, `httponly`, and `samesite`).\n* Unauthenticated/logout/login CSRF.\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Absence of rate limiting.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.\n* User enumeration of any kind (email ownership and timing attack).\n* Improper error handling unless proved in production environment.\n* Sender Policy Framework(SPF) or DomainKeys Identified Mail(DKIM) related findings.\n* Open redirection at `/redirect` endpoint with `redirect` parameter and at `/apps/affiliate/v1/generate-url` endpoint with `merchant_fallback_url` parameter.\n* (mobile) Lack of certificate pinning. The test apps are specifically built for testing environment, therefore there's no certificate pinning.\n* Missing client side check on virtual card loan amount (must be greater than $100 and less than $10000).\n* (mobile) Local access to user data when operating a rooted mobile device.\n* (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.\n\n# Downloading Mobile Testing Apps\n\n## iOS\n_The Affirm testing iOS app built for HackerOne is distributed through Crashlytics._ \n1. Download the testing iOS application by going to **https://appdistribution.firebase.dev/i/07fb2924d6938db2**. \n2. Use your iOS device to visit that link and initiate the download process. Please note, the testing app is distributed though Firebase, and you have to install Firebase and Affirm profiles on your testing iOS device.\n\n## Android\n_The Affirm Android testing app built for HackerOne is distributed through Google Play Store._ \n\n1. Download the testing Android application by joining the **affirmhackerone(https://groups.google.com/forum/#!forum/affirmhackerone)** Google Group. \n2. This Group is open to the public and once you join you can go to **https://play.google.com/apps/testing/com.affirm.central.audit** to initiate the downloading process. (The app is only available in the US region in Google Play. If the account you are using is not in the US region, we recommend you to register a new account for this testing, since Google only allows switching the region of the account once per year.)\n\n\n# Test User Creation and Usage\n\n## To register a test user\n* Go to https://hackerone.affirm-odin.com/ or the mobile application, under “Sign Up”, enter the following information\n* First Name (any value, letter only ) \n* Last Name (any value, letter only)\n* Email address (any value, email format required) \n* Phone number (any value, but please REMEMBER it for login)\n* Date of birth (older than 18 please) \n* Last 4-digits of SSN (any value between 9500 and 9850, and the last 3 digits of the number sets the FICO credit score of the testing account)\n* Click “Create Account” to finish\n\n## To use the user\n* Hit \"login\" in the web or mobile application.\n* Enter the phone number you registered (the test site will NOT send SMS, instead you use a hardcoded pin code shown below)\n* In the next step, use “1234” as the verification code, click “Verify”. \n\n## To use the testing checkout sites:\nYou can go to the following urls to simulate a checkout using the Affirm app.\n * Direct point-of-sale: https://direct-hackerone.affirm-odin.com/\n * Virtual card: https://vcn-hackerone.affirm-odin.com/\n\n## To use testing payments\nIf you don't have a valid testing payment, you can use the following test payments.\n\n## Testing credit card numbers\n\n\n| Issuer | Number |\n|------------------|---------------------|\n| Visa | 4242 4242 4242 4242 |\n| Master Card | 5555 5555 5555 4444 |\n| American Express | 3782 822463 10005 |\n### Testing ACH\n| Routing Number | Account Number |\n|------------------|---------------------|\n| 112200439 | 12345678 |\n\nNote that `https://direct-hackerone.affirm-odin.com/` and `https://vcn-hackerone.affirm-odin.com/` are example applications that demonstrate how our API works in the context of an integration. They are intentionally less secure and do not have any security attached to them. They are out of scope for bounties.\n\n## Scheduled maintenance window\nEvery week on Sundays the above mentioned test sites will go through a maintenance period lasting ~30mins starting from 12:00 PM UTC (NOTE: User data in the app prior to the maintenance period won't persist once this completes)\n\nThank you for helping keep Affirm and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-19T17:32:14.480Z"},{"id":3650110,"new_policy":"Affirm looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Times\nAffirm will make a best effort to meet our response targets for hackers participating in our program. And we’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Do not perform testing on Affirm employee accounts and internal tools.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n\n# Program Scope\n* **Web application** at http://hackerone.affirm-odin.com/\n* **iOS application** at Crashlytics: com.affirm.internal.hackerone\n* **Android application** at Google Play Store: com.affirm.central.audit\n\n## Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Brute force exploits.\n* Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a `X-Frame-Options` header set.\n* Missing security cookie attributes (`secure`, `httponly`, and `samesite`).\n* Unauthenticated/logout/login CSRF.\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Absence of rate limiting.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.\n* User enumeration of any kind (email ownership and timing attack).\n* Improper error handling unless proved in production environment.\n* Sender Policy Framework(SPF) or DomainKeys Identified Mail(DKIM) related findings.\n* Open redirection at `/redirect` endpoint with `redirect` parameter and at `/apps/affiliate/v1/generate-url` endpoint with `merchant_fallback_url` parameter.\n* (mobile) Lack of certificate pinning. The test apps are specifically built for testing environment, therefore there's no certificate pinning.\n* Missing client side check on virtual card loan amount (must be greater than $100 and less than $10000).\n* (mobile) Local access to user data when operating a rooted mobile device.\n* (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.\n\n# Downloading Mobile Testing Apps\n\n## iOS\n_The Affirm testing iOS app built for HackerOne is distributed through Crashlytics._ \n1. Download the testing iOS application by going to **https://appdistribution.firebase.dev/i/07fb2924d6938db2**. \n2. Use your iOS device to visit that link and initiate the download process. Please note, the testing app is distributed though Firebase, and you have to install Firebase and Affirm profiles on your testing iOS device.\n\n## Android\n_The Affirm Android testing app built for HackerOne is distributed through Google Play Store._ \n\n1. Download the testing Android application by joining the **affirmhackerone(https://groups.google.com/forum/#!forum/affirmhackerone)** Google Group. \n2. This Group is open to the public and once you join you can go to **https://play.google.com/apps/testing/com.affirm.central.audit** to initiate the downloading process. (The app is only available in the US region in Google Play. If the account you are using is not in the US region, we recommend you to register a new account for this testing, since Google only allows switching the region of the account once per year.)\n\n\n# Test User Creation and Usage\n\n## To register a test user\n* Go to https://hackerone.affirm-odin.com/ or the mobile application, under “Sign Up”, enter the following information\n* First Name (any value, letter only ) \n* Last Name (any value, letter only)\n* Email address (any value, email format required) \n* Phone number (any value, but please REMEMBER it for login)\n* Date of birth (older than 18 please) \n* Last 4-digits of SSN (any value between 9500 and 9850, and the last 3 digits of the number sets the FICO credit score of the testing account)\n* Click “Create Account” to finish\n\n## To use the user\n* Hit \"login\" in the web or mobile application.\n* Enter the phone number you registered (the test site will NOT send SMS, instead you use a hardcoded pin code shown below)\n* In the next step, use “1234” as the verification code, click “Verify”. \n\n## To use the testing checkout sites:\nYou can go to the following urls to simulate a checkout using the Affirm app.\n * Direct point-of-sale: https://direct-hackerone.affirm-odin.com/\n * Virtual card: https://vcn-hackerone.affirm-odin.com/\n\n## To use testing payments\nIf you don't have a valid testing payment, you can use the following test payments.\n### Testing credit card numbers\n\n\n| Issuer | Number |\n|------------------|---------------------|\n| Visa | 4242 4242 4242 4242 |\n| Master Card | 5555 5555 5555 4444 |\n| American Express | 3782 822463 10005 |\n### Testing ACH\n| Routing Number | Account Number |\n|------------------|---------------------|\n| 112200439 | 12345678 |\n\nNote that `https://direct-hackerone.affirm-odin.com/` and `https://vcn-hackerone.affirm-odin.com/` are example applications that demonstrate how our API works in the context of an integration. They are intentionally less secure and do not have any security attached to them. They are out of scope for bounties.\n\n## Scheduled maintenance window\nEvery week on Sundays the above mentioned test sites will go through a maintenance period lasting ~30mins starting from 12:00 PM UTC (NOTE: User data in the app prior to the maintenance period won't persist once this completes)\n\nThank you for helping keep Affirm and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-19T17:30:12.389Z"},{"id":3649909,"new_policy":"Affirm looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Times\nAffirm will make a best effort to meet our response targets for hackers participating in our program. And we’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Do not perform testing on Affirm employee accounts and internal tools.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n\n# Program Scope\n* **Web application** at http://hackerone.affirm-odin.com/\n* **iOS application** at Crashlytics: com.affirm.internal.hackerone\n* **Android application** at Google Play Store: com.affirm.central.audit\n\n## Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Brute force exploits.\n* Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a `X-Frame-Options` header set.\n* Missing security cookie attributes (`secure`, `httponly`, and `samesite`).\n* Unauthenticated/logout/login CSRF.\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Absence of rate limiting.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.\n* User enumeration of any kind (email ownership and timing attack).\n* Improper error handling unless proved in production environment.\n* Sender Policy Framework(SPF) or DomainKeys Identified Mail(DKIM) related findings.\n* Open redirection at `/redirect` endpoint with `redirect` parameter and at `/apps/affiliate/v1/generate-url` endpoint with `merchant_fallback_url` parameter.\n* (mobile) Lack of certificate pinning. The test apps are specifically built for testing environment, therefore there's no certificate pinning.\n* Missing client side check on virtual card loan amount (must be greater than $100 and less than $10000).\n* (mobile) Local access to user data when operating a rooted mobile device.\n* (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.\n\n# Downloading Mobile Testing Apps\n\n## iOS\n_The Affirm testing iOS app built for HackerOne is distributed through Crashlytics._ \n1. Download the testing iOS application by going to **https://appdistribution.firebase.dev/i/07fb2924d6938db2**. \n2. Use your iOS device to visit that link and initiate the download process. Please note, the testing app is distributed though Firebase, and you have to install Firebase and Affirm profiles on your testing iOS device.\n\n## Android\n_The Affirm Android testing app built for HackerOne is distributed through Google Play Store._ \n\n1. Download the testing Android application by joining the **affirmhackerone(https://groups.google.com/forum/#!forum/affirmhackerone)** Google Group. \n2. This Group is open to the public and once you join you can go to **https://play.google.com/apps/testing/com.affirm.central.audit** to initiate the downloading process. (The app is only available in the US region in Google Play. If the account you are using is not in the US region, we recommend you to register a new account for this testing, since Google only allows switching the region of the account once per year.)\n\n\n# Test User Creation and Usage\n\n## To register a test user\n* Go to https://hackerone.affirm-odin.com/ or the mobile application, under “Sign Up”, enter the following information\n* First Name (any value, letter only ) \n* Last Name (any value, letter only)\n* Email address (any value, email format required) \n* Phone number (any value, but please REMEMBER it for login)\n* Date of birth (older than 18 please) \n* Last 4-digits of SSN (any value between 9500 and 9850, and the last 3 digits of the number sets the FICO credit score of the testing account)\n* Click “Create Account” to finish\n\n## To use the user\n* Hit \"login\" in the web or mobile application.\n* Enter the phone number you registered (the test site will NOT send SMS, instead you use a hardcoded pin code shown below)\n* In the next step, use “1234” as the verification code, click “Verify”. \n\n## To use the testing checkout sites:\nYou can go to the following urls to simulate a checkout using the Affirm app.\n * Direct point-of-sale: https://direct-hackerone.affirm-odin.com/\n * Virtual card: https://vcn-hackerone.affirm-odin.com/\n\n## To use testing payments\nIf you don't have a valid testing payment, you can use the following test payments.\n### Testing credit card numbers\n| Issuer | Number |\n|------------------|---------------------|\n| Visa | 4242 4242 4242 4242 |\n| Master Card | 5555 5555 5555 4444 |\n| American Express | 3782 822463 10005 |\n### Testing ACH\n| Routing Number | Account Number |\n|------------------|---------------------|\n| 112200439 | 12345678 |\n\nNote that `https://direct-hackerone.affirm-odin.com/` and `https://vcn-hackerone.affirm-odin.com/` are example applications that demonstrate how our API works in the context of an integration. They are intentionally less secure and do not have any security attached to them. They are out of scope for bounties.\n\n## Scheduled maintenance window\nEvery week on Sundays the above mentioned test sites will go through a maintenance period lasting ~30mins starting from 12:00 PM UTC (NOTE: User data in the app prior to the maintenance period won't persist once this completes)\n\nThank you for helping keep Affirm and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-15T17:28:16.904Z"},{"id":3648593,"new_policy":"Affirm looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Times\nAffirm will make a best effort to meet our response targets for hackers participating in our program. And we’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Do not perform testing on Affirm employee accounts and internal tools.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n\n# Program Scope\n* **Web application** at http://hackerone.affirm-odin.com/\n* **iOS application** at Crashlytics: com.affirm.internal.hackerone\n* **Android application** at Google Play Store: com.affirm.central.audit\n\n## Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Brute force exploits.\n* Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a `X-Frame-Options` header set.\n* Missing security cookie attributes (`secure`, `httponly`, and `samesite`).\n* Unauthenticated/logout/login CSRF.\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Absence of rate limiting.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.\n* User enumeration of any kind (email ownership and timing attack).\n* Improper error handling unless proved in production environment.\n* Sender Policy Framework(SPF) or DomainKeys Identified Mail(DKIM) related findings.\n* Open redirection at `/redirect` endpoint with `redirect` parameter and at `/apps/affiliate/v1/generate-url` endpoint with `merchant_fallback_url` parameter.\n* (mobile) Lack of certificate pinning. The test apps are specifically built for testing environment, therefore there's no certificate pinning.\n* Missing client side check on virtual card loan amount (must be greater than $100 and less than $10000).\n* (mobile) Local access to user data when operating a rooted mobile device.\n* (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.\n\n# Downloading Mobile Testing Apps\n\n## iOS\n_The Affirm testing iOS app built for HackerOne is distributed through Crashlytics._ \n1. Download the testing iOS application by going to **https://appdistribution.firebase.dev/i/07fb2924d6938db2**. \n2. Use your iOS device to visit that link and initiate the download process. Please note, the testing app is distributed though Firebase, and you have to install Firebase and Affirm profiles on your testing iOS device.\n\n## Android\n_The Affirm Android testing app built for HackerOne is distributed through Google Play Store._ \n\n1. Download the testing Android application by joining the **affirmhackerone(https://groups.google.com/forum/#!forum/affirmhackerone)** Google Group. \n2. This Group is open to the public and once you join you can go to **https://play.google.com/apps/testing/com.affirm.central.audit** to initiate the downloading process. (The app is only available in the US region in Google Play. If the account you are using is not in the US region, we recommend you to register a new account for this testing, since Google only allows switching the region of the account once per year.)\n\n\n# Test User Creation and Usage\n\n## To register a test user\n* Go to https://hackerone.affirm-odin.com/ or the mobile application, under “Sign Up”, enter the following information\n* First Name (any value, letter only ) \n* Last Name (any value, letter only)\n* Email address (any value, email format required) \n* Phone number (any value, but please REMEMBER it for login)\n* Date of birth (older than 18 please) \n* Last 4-digits of SSN (any value between 9500 and 9850, and the last 3 digits of the number sets the FICO credit score of the testing account)\n* Click “Create Account” to finish\n\n## To use the user\n* Hit \"login\" in the web or mobile application.\n* Enter the phone number you registered (the test site will NOT send SMS, instead you use a hardcoded pin code shown below)\n* In the next step, use “1234” as the verification code, click “Verify”. \n\n## To use the testing checkout sites:\nYou can go to the following urls to simulate a checkout using the Affirm app.\n * Direct point-of-sale: https://direct-hackerone.affirm-odin.com/\n * Virtual card: https://vcn-hackerone.affirm-odin.com/\n\n## To use testing payments\nIf you don't have a valid testing payment, you can use the following test payments.\n### Testing credit card numbers\n| Issuer | Number |\n|------------------|---------------------|\n| Visa | 4242 4242 4242 4242 |\n| Master Card | 5555 5555 5555 4444 |\n| American Express | 3782 822463 10005 |\n### Testing ACH\n| Routing Number | Account Number |\n|------------------|---------------------|\n| 112200439 | 12345678 |\n\nNote that `https://direct-hackerone.affirm-odin.com/` and `https://vcn-hackerone.affirm-odin.com/` are example applications that demonstrate how our API works in the context of an integration. They are intentionally less secure and do not have any security attached to them. They are out of scope for bounties.\n\n## Scheduled maintenance window\nEvery week on Sundays the above mentioned test sites will go through a maintenance period lasting ~30mins starting from 12:00 PM UTC (NOTE: User data in the app prior to the maintenance period won't persist once this completes)\n\nThank you for helping keep Affirm and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-02-10T20:30:17.467Z"},{"id":3648584,"new_policy":"Affirm looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Times\nAffirm will make a best effort to meet our response targets for hackers participating in our program. And we’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Do not perform testing on Affirm employee accounts and internal tools.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n\n# Program Scope\n* **Web application** at http://hackerone.affirm-odin.com/\n* **iOS application** at Crashlytics: com.affirm.internal.hackerone\n* **Android application** at Google Play Store: com.affirm.central.audit\n\n## Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Brute force exploits.\n* Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a `X-Frame-Options` header set.\n* Missing security cookie attributes (`secure`, `httponly`, and `samesite`).\n* Unauthenticated/logout/login CSRF.\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Absence of rate limiting.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.\n* User enumeration of any kind (email ownership and timing attack).\n* Improper error handling unless proved in production environment.\n* Sender Policy Framework(SPF) or DomainKeys Identified Mail(DKIM) related findings.\n* Open redirection at `/redirect` endpoint with `redirect` parameter and at `/apps/affiliate/v1/generate-url` endpoint with `merchant_fallback_url` parameter.\n* (mobile) Lack of certificate pinning. The test apps are specifically built for testing environment, therefore there's no certificate pinning.\n* Missing client side check on virtual card loan amount (must be greater than $100 and less than $10000).\n* (mobile) Local access to user data when operating a rooted mobile device.\n* (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.\n\n# Downloading Mobile Testing Apps\n\n## iOS\n_The Affirm testing iOS app built for HackerOne is distributed through Crashlytics._ \n1. Download the testing iOS application by going to **https://appdistribution.firebase.dev/i/07fb2924d6938db2**. \n2. Use your iOS device to visit that link and initiate the download process. Please note, the testing app is distributed though Firebase, and you have to install Firebase and Affirm profiles on your testing iOS device.\n\n## Android\n_The Affirm Android testing app built for HackerOne is distributed through Google Play Store._ \n\n1. Download the testing Android application by joining the **affirmhackerone(https://groups.google.com/forum/#!forum/affirmhackerone)** Google Group. \n2. This Group is open to the public and once you join you can go to **https://play.google.com/apps/testing/com.affirm.central.audit** to initiate the downloading process. (The app is only available in the US region in Google Play. If the account you are using is not in the US region, we recommend you to register a new account for this testing, since Google only allows switching the region of the account once per year.)\n\n\n# Test User Creation and Usage\n\n## To register a test user\n* Go to https://hackerone.affirm-odin.com/ or the mobile application, under “Sign Up”, enter the following information\n* First Name (any value, letter only ) \n* Last Name (any value, letter only)\n* Email address (any value, email format required) \n* Phone number (any value, but please REMEMBER it for login)\n* Date of birth (older than 18 please) \n* Last 4-digits of SSN (any value between 9500 and 9850, and the last 3 digits of the number sets the FICO credit score of the testing account)\n* Click “Create Account” to finish\n\n## To use the user\n* Hit \"login\" in the web or mobile application.\n* Enter the phone number you registered (the test site will NOT send SMS, instead you use a hardcoded pin code shown below)\n* In the next step, use “1234” as the verification code, click “Verify”. \n\n## To use the testing checkout sites:\nYou can go to the following urls to simulate a checkout using the Affirm app.\n * Direct point-of-sale: https://direct-hackerone.affirm-odin.com/\n * Virtual card: https://vcn-hackerone.affirm-odin.com/\n\n## To use testing payments\nIf you don't have a valid testing payment, you can use the following test payments.\n### Testing credit card numbers\n| Issuer | Number |\n|------------------|---------------------|\n| Visa | 4242 4242 4242 4242 |\n| Master Card | 5555 5555 5555 4444 |\n| American Express | 3782 822463 10005 |\n### Testing ACH\n| Routing Number | Account Number |\n|------------------|---------------------|\n| 112200439 | 12345678 |\n\nNote that `https://direct-hackerone.affirm-odin.com/` and `https://vcn-hackerone.affirm-odin.com/` are example applications that demonstrate how our API works in the context of an integration. They are intentionally less secure and do not have any security attached to them. They are out of scope for bounties.\n\n## Scheduled maintenance window\nEvery week on Sundays the above mentioned test sites will go through a maintenance period lasting ~30mins starting from 12:00 PM UTC\n\nThank you for helping keep Affirm and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-02-10T16:21:07.061Z"},{"id":3644158,"new_policy":"Affirm looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Times\nAffirm will make a best effort to meet our response targets for hackers participating in our program. And we’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Do not perform testing on Affirm employee accounts and internal tools.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n\n# Program Scope\n* **Web application** at http://hackerone.affirm-odin.com/\n* **iOS application** at Crashlytics: com.affirm.internal.hackerone\n* **Android application** at Google Play Store: com.affirm.central.audit\n\n## Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Brute force exploits.\n* Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a `X-Frame-Options` header set.\n* Missing security cookie attributes (`secure`, `httponly`, and `samesite`).\n* Unauthenticated/logout/login CSRF.\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Absence of rate limiting.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.\n* User enumeration of any kind (email ownership and timing attack).\n* Improper error handling unless proved in production environment.\n* Sender Policy Framework(SPF) or DomainKeys Identified Mail(DKIM) related findings.\n* Open redirection at `/redirect` endpoint with `redirect` parameter and at `/apps/affiliate/v1/generate-url` endpoint with `merchant_fallback_url` parameter.\n* (mobile) Lack of certificate pinning. The test apps are specifically built for testing environment, therefore there's no certificate pinning.\n* Missing client side check on virtual card loan amount (must be greater than $100 and less than $10000).\n* (mobile) Local access to user data when operating a rooted mobile device.\n* (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.\n\n# Downloading Mobile Testing Apps\n\n## iOS\n_The Affirm testing iOS app built for HackerOne is distributed through Crashlytics._ \n1. Download the testing iOS application by going to **https://appdistribution.firebase.dev/i/07fb2924d6938db2**. \n2. Use your iOS device to visit that link and initiate the download process. Please note, the testing app is distributed though Firebase, and you have to install Firebase and Affirm profiles on your testing iOS device.\n\n## Android\n_The Affirm Android testing app built for HackerOne is distributed through Google Play Store._ \n\n1. Download the testing Android application by joining the **affirmhackerone(https://groups.google.com/forum/#!forum/affirmhackerone)** Google Group. \n2. This Group is open to the public and once you join you can go to **https://play.google.com/apps/testing/com.affirm.central.audit** to initiate the downloading process. (The app is only available in the US region in Google Play. If the account you are using is not in the US region, we recommend you to register a new account for this testing, since Google only allows switching the region of the account once per year.)\n\n\n# Test User Creation and Usage\n\n## To register a test user\n* Go to https://hackerone.affirm-odin.com/ or the mobile application, under “Sign Up”, enter the following information\n* First Name (any value, letter only ) \n* Last Name (any value, letter only)\n* Email address (any value, email format required) \n* Phone number (any value, but please REMEMBER it for login)\n* Date of birth (older than 18 please) \n* Last 4-digits of SSN (any value between 9500 and 9850, and the last 3 digits of the number sets the FICO credit score of the testing account)\n* Click “Create Account” to finish\n\n## To use the user\n* Hit \"login\" in the web or mobile application.\n* Enter the phone number you registered (the test site will NOT send SMS, instead you use a hardcoded pin code shown below)\n* In the next step, use “1234” as the verification code, click “Verify”. \n\n## To use the testing checkout sites:\nYou can go to the following urls to simulate a checkout using the Affirm app.\n * Direct point-of-sale: https://direct-hackerone.affirm-odin.com/\n * Virtual card: https://vcn-hackerone.affirm-odin.com/\n\n## To use testing payments\nIf you don't have a valid testing payment, you can use the following test payments.\n### Testing credit card numbers\n| Issuer | Number |\n|------------------|---------------------|\n| Visa | 4242 4242 4242 4242 |\n| Master Card | 5555 5555 5555 4444 |\n| American Express | 3782 822463 10005 |\n### Testing ACH\n| Routing Number | Account Number |\n|------------------|---------------------|\n| 112200439 | 12345678 |\n\nNote that `https://direct-hackerone.affirm-odin.com/` and `https://vcn-hackerone.affirm-odin.com/` are example applications that demonstrate how our API works in the context of an integration. They are intentionally less secure and do not have any security attached to them. They are out of scope for bounties.\n\nThank you for helping keep Affirm and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-23T00:09:15.882Z"},{"id":3644109,"new_policy":"Affirm looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Times\nAffirm will make a best effort to meet our response targets for hackers participating in our program. And we’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Do not perform testing on Affirm employee accounts and internal tools.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n\n# Program Scope\n* **Web application** at http://hackerone.affirm-odin.com/\n* **iOS application** at Crashlytics: com.affirm.internal.hackerone\n* **Android application** at Google Play Store: com.affirm.central.audit\n\n## Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Brute force exploits.\n* Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a `X-Frame-Options` header set.\n* Missing security cookie attributes (`secure`, `httponly`, and `samesite`).\n* Unauthenticated/logout/login CSRF.\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Absence of rate limiting.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.\n* User enumeration of any kind (email ownership and timing attack).\n* Improper error handling unless proved in production environment.\n* Sender Policy Framework(SPF) or DomainKeys Identified Mail(DKIM) related findings.\n* Open redirection at `/redirect` endpoint.\n* (mobile) Lack of certificate pinning. The test apps are specifically built for testing environment, therefore there's no certificate pinning.\n* Missing client side check on virtual card loan amount (must be greater than $100 and less than $10000).\n* (mobile) Local access to user data when operating a rooted mobile device.\n* (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.\n\n# Downloading Mobile Testing Apps\n\n## iOS\n_The Affirm testing iOS app built for HackerOne is distributed through Crashlytics._ \n1. Download the testing iOS application by going to **https://appdistribution.firebase.dev/i/07fb2924d6938db2**. \n2. Use your iOS device to visit that link and initiate the download process. Please note, the testing app is distributed though Firebase, and you have to install Firebase and Affirm profiles on your testing iOS device.\n\n## Android\n_The Affirm Android testing app built for HackerOne is distributed through Google Play Store._ \n\n1. Download the testing Android application by joining the **affirmhackerone(https://groups.google.com/forum/#!forum/affirmhackerone)** Google Group. \n2. This Group is open to the public and once you join you can go to **https://play.google.com/apps/testing/com.affirm.central.audit** to initiate the downloading process. (The app is only available in the US region in Google Play. If the account you are using is not in the US region, we recommend you to register a new account for this testing, since Google only allows switching the region of the account once per year.)\n\n\n# Test User Creation and Usage\n\n## To register a test user\n* Go to https://hackerone.affirm-odin.com/ or the mobile application, under “Sign Up”, enter the following information\n* First Name (any value, letter only ) \n* Last Name (any value, letter only)\n* Email address (any value, email format required) \n* Phone number (any value, but please REMEMBER it for login)\n* Date of birth (older than 18 please) \n* Last 4-digits of SSN (any value between 9500 and 9850, and the last 3 digits of the number sets the FICO credit score of the testing account)\n* Click “Create Account” to finish\n\n## To use the user\n* Hit \"login\" in the web or mobile application.\n* Enter the phone number you registered (the test site will NOT send SMS, instead you use a hardcoded pin code shown below)\n* In the next step, use “1234” as the verification code, click “Verify”. \n\n## To use the testing checkout sites:\nYou can go to the following urls to simulate a checkout using the Affirm app.\n * Direct point-of-sale: https://direct-hackerone.affirm-odin.com/\n * Virtual card: https://vcn-hackerone.affirm-odin.com/\n\n## To use testing payments\nIf you don't have a valid testing payment, you can use the following test payments.\n### Testing credit card numbers\n| Issuer | Number |\n|------------------|---------------------|\n| Visa | 4242 4242 4242 4242 |\n| Master Card | 5555 5555 5555 4444 |\n| American Express | 3782 822463 10005 |\n### Testing ACH\n| Routing Number | Account Number |\n|------------------|---------------------|\n| 112200439 | 12345678 |\n\nNote that `https://direct-hackerone.affirm-odin.com/` and `https://vcn-hackerone.affirm-odin.com/` are example applications that demonstrate how our API works in the context of an integration. They are intentionally less secure and do not have any security attached to them. They are out of scope for bounties.\n\nThank you for helping keep Affirm and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-21T23:36:40.292Z"},{"id":3641195,"new_policy":"Affirm looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Times\nAffirm will make a best effort to meet our response targets for hackers participating in our program. And we’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Do not perform testing on Affirm employee accounts and internal tools.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n\n# Program Scope\n* **Web application** at http://hackerone.affirm-odin.com/\n* **iOS application** at Crashlytics: com.affirm.internal.hackerone\n* **Android application** at Google Play Store: com.affirm.central.audit\n\n## Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Brute force exploits.\n* Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a `X-Frame-Options` header set.\n* Missing security cookie attributes (`secure`, `httponly`, and `samesite`).\n* Unauthenticated/logout/login CSRF.\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Absence of rate limiting.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.\n* User enumeration of any kind (email ownership and timing attack).\n* Improper error handling unless proved in production environment.\n* Sender Policy Framework(SPF) or DomainKeys Identified Mail(DKIM) related findings.\n* (mobile) Lack of certificate pinning. The test apps are specifically built for testing environment, therefore there's no certificate pinning.\n* Missing client side check on virtual card loan amount (must be greater than $100 and less than $10000).\n* (mobile) Local access to user data when operating a rooted mobile device.\n* (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.\n\n# Downloading Mobile Testing Apps\n\n## iOS\n_The Affirm testing iOS app built for HackerOne is distributed through Crashlytics._ \n1. Download the testing iOS application by going to **https://appdistribution.firebase.dev/i/07fb2924d6938db2**. \n2. Use your iOS device to visit that link and initiate the download process. Please note, the testing app is distributed though Firebase, and you have to install Firebase and Affirm profiles on your testing iOS device.\n\n## Android\n_The Affirm Android testing app built for HackerOne is distributed through Google Play Store._ \n\n1. Download the testing Android application by joining the **affirmhackerone(https://groups.google.com/forum/#!forum/affirmhackerone)** Google Group. \n2. This Group is open to the public and once you join you can go to **https://play.google.com/apps/testing/com.affirm.central.audit** to initiate the downloading process. (The app is only available in the US region in Google Play. If the account you are using is not in the US region, we recommend you to register a new account for this testing, since Google only allows switching the region of the account once per year.)\n\n\n# Test User Creation and Usage\n\n## To register a test user\n* Go to https://hackerone.affirm-odin.com/ or the mobile application, under “Sign Up”, enter the following information\n* First Name (any value, letter only ) \n* Last Name (any value, letter only)\n* Email address (any value, email format required) \n* Phone number (any value, but please REMEMBER it for login)\n* Date of birth (older than 18 please) \n* Last 4-digits of SSN (any value between 9500 and 9850, and the last 3 digits of the number sets the FICO credit score of the testing account)\n* Click “Create Account” to finish\n\n## To use the user\n* Hit \"login\" in the web or mobile application.\n* Enter the phone number you registered (the test site will NOT send SMS, instead you use a hardcoded pin code shown below)\n* In the next step, use “1234” as the verification code, click “Verify”. \n\n## To use the testing checkout sites:\nYou can go to the following urls to simulate a checkout using the Affirm app.\n * Direct point-of-sale: https://direct-hackerone.affirm-odin.com/\n * Virtual card: https://vcn-hackerone.affirm-odin.com/\n\n## To use testing payments\nIf you don't have a valid testing payment, you can use the following test payments.\n### Testing credit card numbers\n| Issuer | Number |\n|------------------|---------------------|\n| Visa | 4242 4242 4242 4242 |\n| Master Card | 5555 5555 5555 4444 |\n| American Express | 3782 822463 10005 |\n### Testing ACH\n| Routing Number | Account Number |\n|------------------|---------------------|\n| 112200439 | 12345678 |\n\nNote that `https://direct-hackerone.affirm-odin.com/` and `https://vcn-hackerone.affirm-odin.com/` are example applications that demonstrate how our API works in the context of an integration. They are intentionally less secure and do not have any security attached to them. They are out of scope for bounties.\n\nThank you for helping keep Affirm and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-12T00:49:40.230Z"},{"id":3641137,"new_policy":"Affirm looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Times\nAffirm will make a best effort to meet our response targets for hackers participating in our program. And we’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Do not perform testing on Affirm employee accounts and internal tools.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n\n# Program Scope\n* **Web application** at http://hackerone.affirm-odin.com/\n* **iOS application** at Crashlytics: com.affirm.internal.hackerone\n* **Android application** at Google Play Store: com.affirm.central.audit\n\n## Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Brute force exploits.\n* Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a `X-Frame-Options` header set.\n* Missing security cookie attributes (`secure`, `httponly`, and `samesite`).\n* Unauthenticated/logout/login CSRF.\n* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Absence of rate limiting.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.\n* User enumeration of any kind (email ownership and timing attack).\n* Improper error handling unless proved in production environment.\n* (mobile) Lack of certificate pinning. The test apps are specifically built for testing environment, therefore there's no certificate pinning.\n* Missing client side check on virtual card loan amount (must be greater than $100 and less than $10000).\n* (mobile) Local access to user data when operating a rooted mobile device.\n* (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.\n\n# Downloading Mobile Testing Apps\n\n## iOS\n_The Affirm testing iOS app built for HackerOne is distributed through Crashlytics._ \n1. Download the testing iOS application by going to **https://appdistribution.firebase.dev/i/07fb2924d6938db2**. \n2. Use your iOS device to visit that link and initiate the download process. Please note, the testing app is distributed though Firebase, and you have to install Firebase and Affirm profiles on your testing iOS device.\n\n## Android\n_The Affirm Android testing app built for HackerOne is distributed through Google Play Store._ \n\n1. Download the testing Android application by joining the **affirmhackerone(https://groups.google.com/forum/#!forum/affirmhackerone)** Google Group. \n2. This Group is open to the public and once you join you can go to **https://play.google.com/apps/testing/com.affirm.central.audit** to initiate the downloading process. (The app is only available in the US region in Google Play. If the account you are using is not in the US region, we recommend you to register a new account for this testing, since Google only allows switching the region of the account once per year.)\n\n\n# Test User Creation and Usage\n\n## To register a test user\n* Go to https://hackerone.affirm-odin.com/ or the mobile application, under “Sign Up”, enter the following information\n* First Name (any value, letter only ) \n* Last Name (any value, letter only)\n* Email address (any value, email format required) \n* Phone number (any value, but please REMEMBER it for login)\n* Date of birth (older than 18 please) \n* Last 4-digits of SSN (any value between 9500 and 9850, and the last 3 digits of the number sets the FICO credit score of the testing account)\n* Click “Create Account” to finish\n\n## To use the user\n* Hit \"login\" in the web or mobile application.\n* Enter the phone number you registered (the test site will NOT send SMS, instead you use a hardcoded pin code shown below)\n* In the next step, use “1234” as the verification code, click “Verify”. \n\n## To use the testing checkout sites:\nYou can go to the following urls to simulate a checkout using the Affirm app.\n * Direct point-of-sale: https://direct-hackerone.affirm-odin.com/\n * Virtual card: https://vcn-hackerone.affirm-odin.com/\n\n## To use testing payments\nIf you don't have a valid testing payment, you can use the following test payments.\n### Testing credit card numbers\n| Issuer | Number |\n|------------------|---------------------|\n| Visa | 4242 4242 4242 4242 |\n| Master Card | 5555 5555 5555 4444 |\n| American Express | 3782 822463 10005 |\n### Testing ACH\n| Routing Number | Account Number |\n|------------------|---------------------|\n| 112200439 | 12345678 |\n\nNote that `https://direct-hackerone.affirm-odin.com/` and `https://vcn-hackerone.affirm-odin.com/` are example applications that demonstrate how our API works in the context of an integration. They are intentionally less secure and do not have any security attached to them. They are out of scope for bounties.\n\nThank you for helping keep Affirm and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-10T18:21:44.434Z"}]