[{"id":3698469,"new_policy":"Blend Labs looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nBlend Labs will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 5 days |\n| Time to Triage | 10 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n*Intended functionality does not qualify for reward.  Prior to submitting a report, please refer to the latter sections of his document titles \"Ineligible Vulnerabilities\", \"Security Findings vs. Intended Functionality\", and \"Security Findings v.s. Development Functionality\". \n\n# Test Plan\n### **Program Details**\n\nBlend's responsible disclosure and bug bounty program's focus is on protecting and maintaining the data and its integrity of lenders and borrowers who use our systems. Our Blend platform makes it easy for borrowers to apply for loan products from any desktop, tablet, or mobile device. While enabling our lenders to work in parallel and follow up instantly with additional requests and information.\n\nSince the Blend platform must collect, manage, and protect sensitive user data, such as PII and imported bank account data, we strive to ensure that the platform is as secure as possible. As such, we value (and reward) the responsible disclosure of any vulnerabilities to us.\n\n_For the initial prioritization/rating of findings, this program will use the_ [_Hacker1 Vulnerability Rating Taxonomy_](https://docs.hackerone.com/hackers/severity.html)_. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal and make a case for a higher priority._\n\n### **Disclosure Policy**\n\n_Follow HackerOne's_ [_disclosure guidelines_](https://www.hackerone.com/disclosure-guidelines)_._\n\n### **Scope**\n\nIn-Scope Targets\n\nhttps://knox.beta.blendlabs.com\n\nOut of scope targets\n\nhttps://blend.com/\n\nAny \\*.blend.com or \\*.blendlabs.com subdomains.\n\nTesting is only authorized on the targets listed as In-Scope. Any domain/property of Blend not listed in the targets section is out of scope. This includes any/all subdomains not listed above. The same applies to vulnerabilities found in any 3rd party services Blend integrates with and does not own.\n\nIf you believe you've identified a vulnerability on a system outside the scope, please reach out to Hacker1's support team before submitting it.\n\n### **Background Information**\n\nThe Blend platform is composed of a ReactJS/Express.js front-end and Express.js microservices connected to various backend databases. The ReactJS/Express.js front-end contains both a lender view, which allows lenders to manage loans in the system, and a borrower view, which allows borrowers to complete a mortgage loan application. Lender accounts can only be created by an authorized Admin, but borrower accounts can either be created through self-registration or an invitation email.\n\n### **Focus Areas**\n\nAll of the following issues especially if originating from a borrower account (e.g. privilege escalation to a lender from a borrower account, another borrower's sensitive user data from a borrower account, etc.) are of particular interest to us.\n\n- Authentication bypass or elevation of privileges\n  - Vertical (e.g. obtain lender privilege from borrower account or admin privilege from lender account)\n  - Horizontal (e.g. obtain other borrower sessions from one borrower session or lender-lender)\n- Sensitive data exposure (e.g. unauthorized disclosure of loan information or other sensitive user data)\n- \"root\" access to the underlying server(s)\n- Multitenancy exploits\n  - Multiple tenants exist within the pentest environment\n  - Exposing data or access from one tenant to another\n\n### **Ineligible Vulnerabilities**\n\n- Social Engineering or Phishing attacks against Blend employees or Blend's customers\n- Brute-force DDoS or resource exhaustive attacks\n- Attacks making use of MITM techniques, DNS spoofing, or physical access to a Blend-owned asset\n- Best practice reports without valid exploits such as weak TLS cipher suites\n- Self-XSS\n- Outdated or vulnerable libraries without exploit proof of concept\n- Lender to Lender *IDOR* (Please read below for information regarding \"Security Findings vs. Intended Functionality\") \n\n### **Security Findings vs. Intended Functionality**\n\nThe relationship between a lender and a borrower is unique in that lenders are privy to a great deal of sensitive financial information relating to a borrower. Furthermore, lenders within a single organization may need access to the data of the borrowers under other lenders within the same organization. What might initially appear to be a security finding of inappropriate data disclosure may actually be intended functionality when it comes to a lender's access to borrower data.\n\n### **Security Findings v.s. Development Functionality**\n\nBlend beta environments contain several development tools to aid in creating test loans for specific cases. Findings that involve development-specific features will also not be considered valid. For example, if a vulnerability is disclosed that makes use of our \"Fast Forward\" or \"Dev tools\" functionality to create test loans, the finding will not be considered valid unless the exploit can be carried out without the use of the development tools.\n\n### **Access**\n\n- Create a borrower account by going to [the target](https://knox.beta.blendlabs.com/) and clicking Sign Up.\n- Create a lender account: Please fill out the form https://forms.gle/YnxBXKDu48hYg21RA and credentials will be created and sent to you promptly\n- The Blend platform allows you to connect to third-party bank accounts. Use these credentials to test the behavior.\n  - Bank account credentials (Please select Bank of America):\n    - user/pass: blend\\_test\n    - Two Factor Auth: 1234\n  - SSN:\n    - any 9-digit number.\n\n### **Scanning**\n\nScanning is not permitted since the Blend platform is hosted behind an AWS ELB (AWS policy).\n\n### **Extra Notes**\n\nThe \"Receives notifications about unassigned loans\" role option will generate a lot of emails towards any user with that role assigned. If you are interested in testing the functionality of this option, enable the option for a non-Admin role (preferably a newly created role) and assign a user/email address to that role.\n\n##\n### **Safe Harbor:**\n\n**When conducting vulnerability research according to this policy, we consider this research to be:**\n\n- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;\n- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;\n- Exempt from restrictions in our Terms ; Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and\n- Lawful, helpful to the overall security of the Internet, and conducted in good faith.\n- You are expected, as always, to comply with all applicable laws.\n\n_If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@hackerone.com before going any further._\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Blend Labs.\n\n| Critical (9.0 - 10.0) | High (7.0 - 8.9)  | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |\n| ------------- | ------------- | ------------- | ------------- |\n| $7,500 | $3,000 | $750 | $250 |\n\n[Instructions: When rewards section is completed, remove it from here and place it into product]\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Google Maps API Token Exposure\n* Rate Limiting on Password Reset\n* Hard Coded Password (Fast123!)\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Blend Labs and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-07-18T18:45:06.183Z"},{"id":3679736,"new_policy":"Blend Labs looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nBlend Labs will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 5 days |\n| Time to Triage | 10 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n*Intended functionality does not qualify for reward.  Prior to submitting a report, please refer to the latter sections of his document titles \"Ineligible Vulnerabilities\", \"Security Findings vs. Intended Functionality\", and \"Security Findings v.s. Development Functionality\". \n\n# Test Plan\n### **Program Details**\n\nBlend's responsible disclosure and bug bounty program's focus is on protecting and maintaining the data and its integrity of lenders and borrowers who use our systems. Our Blend platform makes it easy for borrowers to apply for loan products from any desktop, tablet, or mobile device. While enabling our lenders to work in parallel and follow up instantly with additional requests and information.\n\nSince the Blend platform must collect, manage, and protect sensitive user data, such as PII and imported bank account data, we strive to ensure that the platform is as secure as possible. As such, we value (and reward) the responsible disclosure of any vulnerabilities to us.\n\n_For the initial prioritization/rating of findings, this program will use the_ [_Hacker1 Vulnerability Rating Taxonomy_](https://docs.hackerone.com/hackers/severity.html)_. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal and make a case for a higher priority._\n\n### **Disclosure Policy**\n\n_Follow HackerOne's_ [_disclosure guidelines_](https://www.hackerone.com/disclosure-guidelines)_._\n\n### **Scope**\n\nIn-Scope Targets\n\nhttps://knox.beta.blendlabs.com\n\nOut of scope targets\n\nhttps://blend.com/\n\nAny \\*.blend.com or \\*.blendlabs.com subdomains.\n\nTesting is only authorized on the targets listed as In-Scope. Any domain/property of Blend not listed in the targets section is out of scope. This includes any/all subdomains not listed above. The same applies to vulnerabilities found in any 3rd party services Blend integrates with and does not own.\n\nIf you believe you've identified a vulnerability on a system outside the scope, please reach out to Hacker1's support team before submitting it.\n\n### **Background Information**\n\nThe Blend platform is composed of a ReactJS/Express.js front-end and Express.js microservices connected to various backend databases. The ReactJS/Express.js front-end contains both a lender view, which allows lenders to manage loans in the system, and a borrower view, which allows borrowers to complete a mortgage loan application. Lender accounts can only be created by an authorized Admin, but borrower accounts can either be created through self-registration or an invitation email.\n\n### **Focus Areas**\n\nAll of the following issues especially if originating from a borrower account (e.g. privilege escalation to a lender from a borrower account, another borrower's sensitive user data from a borrower account, etc.) are of particular interest to us.\n\n- Authentication bypass or elevation of privileges\n  - Vertical (e.g. obtain lender privilege from borrower account or admin privilege from lender account)\n  - Horizontal (e.g. obtain other borrower sessions from one borrower session or lender-lender)\n- Sensitive data exposure (e.g. unauthorized disclosure of loan information or other sensitive user data)\n- \"root\" access to the underlying server(s)\n- Multitenancy exploits\n  - Multiple tenants exist within the pentest environment\n  - Exposing data or access from one tenant to another\n\n### **Ineligible Vulnerabilities**\n\n- Social Engineering or Phishing attacks against Blend employees or Blend's customers\n- Brute-force DDoS or resource exhaustive attacks\n- Attacks making use of MITM techniques, DNS spoofing, or physical access to a Blend-owned asset\n- Best practice reports without valid exploits such as weak TLS cipher suites\n- Self-XSS\n- Outdated or vulnerable libraries without exploit proof of concept\n- Lender to Lender *IDOR* (Please read below for information regarding \"Security Findings vs. Intended Functionality\") \n\n### **Security Findings vs. Intended Functionality**\n\nThe relationship between a lender and a borrower is unique in that lenders are privy to a great deal of sensitive financial information relating to a borrower. Furthermore, lenders within a single organization may need access to the data of the borrowers under other lenders within the same organization. What might initially appear to be a security finding of inappropriate data disclosure may actually be intended functionality when it comes to a lender's access to borrower data.\n\n### **Security Findings v.s. Development Functionality**\n\nBlend beta environments contain several development tools to aid in creating test loans for specific cases. Findings that involve development-specific features will also not be considered valid. For example, if a vulnerability is disclosed that makes use of our \"Fast Forward\" or \"Dev tools\" functionality to create test loans, the finding will not be considered valid unless the exploit can be carried out without the use of the development tools.\n\n### **Access**\n\n- Create a borrower account by going to [the target](https://knox.beta.blendlabs.com/) and clicking Sign Up.\n- Create a lender account: Please fill out the form https://forms.gle/YnxBXKDu48hYg21RA and credentials will be created and sent to you promptly\n- The Blend platform allows you to connect to third-party bank accounts. Use these credentials to test the behavior.\n  - Bank account credentials (Please select Bank of America):\n    - user/pass: blend\\_test\n    - Two Factor Auth: 1234\n  - SSN:\n    - any 9-digit number.\n\n### **Scanning**\n\nScanning is not permitted since the Blend platform is hosted behind an AWS ELB (AWS policy).\n\n### **Extra Notes**\n\nThe \"Receives notifications about unassigned loans\" role option will generate a lot of emails towards any user with that role assigned. If you are interested in testing the functionality of this option, enable the option for a non-Admin role (preferably a newly created role) and assign a user/email address to that role.\n\n##\n### **Safe Harbor:**\n\n**When conducting vulnerability research according to this policy, we consider this research to be:**\n\n- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;\n- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;\n- Exempt from restrictions in our Terms ; Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and\n- Lawful, helpful to the overall security of the Internet, and conducted in good faith.\n- You are expected, as always, to comply with all applicable laws.\n\n_If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@hackerone.com before going any further._\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Blend Labs.\n\n| Critical (9.0 - 10.0) | High (7.0 - 8.9)  | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |\n| ------------- | ------------- | ------------- | ------------- |\n| $5,000 | $2,000 | $750 | $250 |\n\n[Instructions: When rewards section is completed, remove it from here and place it into product]\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Google Maps API Token Exposure\n* Rate Limiting on Password Reset\n* Hard Coded Password (Fast123!)\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Blend Labs and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-11-09T15:32:37.949Z"},{"id":3677270,"new_policy":"Blend Labs looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nBlend Labs will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 5 days |\n| Time to Triage | 10 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n*Intended functionality does not qualify for reward.  Prior to submitting a report, please refer to the latter sections of his document titles \"Ineligible Vulnerabilities\", \"Security Findings vs. Intended Functionality\", and \"Security Findings v.s. Development Functionality\". \n\n# Test Plan\n### **Program Details**\n\nBlend's responsible disclosure and bug bounty program's focus is on protecting and maintaining the data and its integrity of lenders and borrowers who use our systems. Our Blend platform makes it easy for borrowers to apply for loan products from any desktop, tablet, or mobile device. While enabling our lenders to work in parallel and follow up instantly with additional requests and information.\n\nSince the Blend platform must collect, manage, and protect sensitive user data, such as PII and imported bank account data, we strive to ensure that the platform is as secure as possible. As such, we value (and reward) the responsible disclosure of any vulnerabilities to us.\n\n_For the initial prioritization/rating of findings, this program will use the_ [_Hacker1 Vulnerability Rating Taxonomy_](https://docs.hackerone.com/hackers/severity.html)_. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal and make a case for a higher priority._\n\n### **Disclosure Policy**\n\n_Follow HackerOne's_ [_disclosure guidelines_](https://www.hackerone.com/disclosure-guidelines)_._\n\n### **Scope**\n\nIn-Scope Targets\n\nhttps://knox.beta.blendlabs.com\n\nOut of scope targets\n\nhttps://blend.com/\n\nAny \\*.blend.com or \\*.blendlabs.com subdomains.\n\nTesting is only authorized on the targets listed as In-Scope. Any domain/property of Blend not listed in the targets section is out of scope. This includes any/all subdomains not listed above. The same applies to vulnerabilities found in any 3rd party services Blend integrates with and does not own.\n\nIf you believe you've identified a vulnerability on a system outside the scope, please reach out to Hacker1's support team before submitting it.\n\n### **Background Information**\n\nThe Blend platform is composed of a ReactJS/Express.js front-end and Express.js microservices connected to various backend databases. The ReactJS/Express.js front-end contains both a lender view, which allows lenders to manage loans in the system, and a borrower view, which allows borrowers to complete a mortgage loan application. Lender accounts can only be created by an authorized Admin, but borrower accounts can either be created through self-registration or an invitation email.\n\n### **Focus Areas**\n\nAll of the following issues especially if originating from a borrower account (e.g. privilege escalation to a lender from a borrower account, another borrower's sensitive user data from a borrower account, etc.) are of particular interest to us.\n\n- Authentication bypass or elevation of privileges\n  - Vertical (e.g. obtain lender privilege from borrower account or admin privilege from lender account)\n  - Horizontal (e.g. obtain other borrower sessions from one borrower session or lender-lender)\n- Sensitive data exposure (e.g. unauthorized disclosure of loan information or other sensitive user data)\n- \"root\" access to the underlying server(s)\n- Multitenancy exploits\n  - Multiple tenants exist within the pentest environment\n  - Exposing data or access from one tenant to another\n\n### **Ineligible Vulnerabilities**\n\n- Social Engineering or Phishing attacks against Blend employees or Blend's customers\n- Brute-force DDoS or resource exhaustive attacks\n- Attacks making use of MITM techniques, DNS spoofing, or physical access to a Blend-owned asset\n- Best practice reports without valid exploits such as weak TLS cipher suites\n- Self-XSS\n- Outdated or vulnerable libraries without exploit proof of concept\n- Lender to Lender *IDOR* (Please read below for information regarding \"Security Findings vs. Intended Functionality\") \n\n### **Security Findings vs. Intended Functionality**\n\nThe relationship between a lender and a borrower is unique in that lenders are privy to a great deal of sensitive financial information relating to a borrower. Furthermore, lenders within a single organization may need access to the data of the borrowers under other lenders within the same organization. What might initially appear to be a security finding of inappropriate data disclosure may actually be intended functionality when it comes to a lender's access to borrower data.\n\n### **Security Findings v.s. Development Functionality**\n\nBlend beta environments contain several development tools to aid in creating test loans for specific cases. Findings that involve development-specific features will also not be considered valid. For example, if a vulnerability is disclosed that makes use of our \"Fast Forward\" or \"Dev tools\" functionality to create test loans, the finding will not be considered valid unless the exploit can be carried out without the use of the development tools.\n\n### **Access**\n\n- Create a borrower account by going to [the target](https://knox.beta.blendlabs.com/) and clicking Sign Up.\n- Create a lender account: Please fill out the form https://forms.gle/bhA1FSeuAxCTdmbM7 and credentials will be created and sent to you promptly\n- The Blend platform allows you to connect to third-party bank accounts. Use these credentials to test the behavior.\n  - Bank account credentials (Please select Bank of America):\n    - user/pass: blend\\_test\n    - Two Factor Auth: 1234\n  - SSN:\n    - any 9-digit number.\n\n### **Scanning**\n\nScanning is not permitted since the Blend platform is hosted behind an AWS ELB (AWS policy).\n\n### **Extra Notes**\n\nThe \"Receives notifications about unassigned loans\" role option will generate a lot of emails towards any user with that role assigned. If you are interested in testing the functionality of this option, enable the option for a non-Admin role (preferably a newly created role) and assign a user/email address to that role.\n\n##\n### **Safe Harbor:**\n\n**When conducting vulnerability research according to this policy, we consider this research to be:**\n\n- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;\n- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;\n- Exempt from restrictions in our Terms ; Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and\n- Lawful, helpful to the overall security of the Internet, and conducted in good faith.\n- You are expected, as always, to comply with all applicable laws.\n\n_If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@hackerone.com before going any further._\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Blend Labs.\n\n| Critical (9.0 - 10.0) | High (7.0 - 8.9)  | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |\n| ------------- | ------------- | ------------- | ------------- |\n| $5,000 | $2,000 | $750 | $250 |\n\n[Instructions: When rewards section is completed, remove it from here and place it into product]\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Google Maps API Token Exposure\n* Rate Limiting on Password Reset\n* Hard Coded Password (Fast123!)\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Blend Labs and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-09-13T15:14:29.756Z"}]