October 28, 2021

A new chapter for Plaid’s bug bounty program

Mahesh Kukreja

October is Cybersecurity Awareness month and we’re excited to share some new updates to Plaid’s bug bounty program. We first launched our bug bounty program on HackerOne back in November 2016 and since then we’ve received hundreds of reports across our product portfolio, and paid out dozens of bounties from low to high severity. We’re excited to announce that we’ll be doubling the rewards for our bug bounty program starting today. 

Plaid is a financial services product that’s used and trusted by millions of consumers everywhere. That’s why security continues to be one of our  top priorities, to ensure Plaid is a safe and secure product for our customers and consumers everywhere. While we’re always improving and scaling our own security efforts, we strongly believe that a well-formed security strategy balances a combination of upfront security reviews, threat modeling, automated scanning, periodic penetration testing, and a bug bounty program.

We feel that every submission helps improve our security posture, and we work closely with researchers to ensure the impact of discovering a vulnerability is rewarded accordingly. So far, the highest reward in our program is a $2,500 payout for a critical vulnerability. We have paid out $22,500 in total bounties. Our current report acknowledgement average is 2 days.

In our new program, we’ve increased the bug bounty amounts.

NOTE: These amounts are indicative and we may reward lower amounts for vulnerabilities that require significant user interaction or that have no significant impact, as we determine at our discretion. We also might pay higher amounts for creative or severe vulnerabilities as we determine at our discretion.

In addition to updates we’re making to the bounties, we’ve also made minor changes to our SLAs, program rules, and program scope. Please see our program terms for all details. To make this easier for you, we’ve also released a guide which will help security researchers understand what we care about from a security and risk perspective.  

We look forward to expanding our partnership and engagement with the security researcher community.