Investing.com's Bug Bounty Program

At Investing.com, we are committed to maintaining the highest security standards across our services, infrastructure, and applications. Our Bug Bounty Program rewards security researchers who responsibly disclose vulnerabilities that could impact Investing.com and its users.Scope of the Program

The program includes:

• Investing.com website (all language subdomains included)
• Native iOS application
• Native Android application

Non-Production Environments (Beta, Staging, Demo, etc.)

• Vulnerabilities found in these environments are rewarded only if they affect the overall service or pose a risk of sensitive user data leakage.
• Findings that do not meet these criteria may be deemed ineligible for rewards.

Reward Structure

Rewards are determined based on severity, exploitation potential, and real-world impact. Below are the rough severity guidelines:

• Critical: Remote code execution, major authentication bypass, full account compromise, large-scale data leaks.
• High: SQL injection, privilege escalation, access to confidential data, persistent XSS on critical functionality.
• Medium: CSRF in critical actions, partial data exposure, escalated self-XSS affecting multiple users.
• Low: Minor security control flaws with limited impact, non-persistent self-XSS, security policy bypass without major data risk.

Additional Notes:

• Final reward amounts may vary based on factors such as exploit reliability, reproducibility, and actual or potential impact.
• The above categories serve as general guidance; actual rewards are determined case by case.

Eligibility and ExclusionsEligible Submissions

• The researcher must be the first to report the vulnerability.
• The vulnerability must be new, non-public, and within the defined scope.
• The finding must demonstrate a tangible security risk with a realistic path to exploitation.

Non-Eligible Submissions

Rewards will not be granted if:

• The vulnerability has already been reported.
• The issue relies on rooted/jailbroken devices or modified security controls.
• Exploitation requires full access to a user's software, account, email, or phone.
• The vulnerability exists in third-party services or outdated legacy protocols.
• The issue has no substantial security impact (e.g., missing HTTP headers, simple text errors, best-practice suggestions).
• The researcher publicly disclosed the issue before confirmation from Investing.com.
• Exploitation requires highly unrealistic user actions not typical of normal usage.

Submission Guidelines

To facilitate review and processing, all vulnerability reports must follow this mandatory template:

1. Report Title: A short, descriptive title (e.g., "SQL Injection in Article Comments").
2. Asset / Scope Confirmation: Clearly specify which asset is affected (e.g., "investing.com main site," "iOS mobile application," "staging environment").
3. Vulnerability Description:
   • Provide a detailed explanation of the security flaw.
   • Include references such as CVE or CWE if applicable.
   • Assign a severity level (Critical, High, Medium, Low) with a brief justification.
4. Steps to Reproduce / Proof-of-Concept (PoC):
   • Outline exact steps for exploitation.
   • Include screenshots, sample payloads, or short scripts demonstrating the issue.
   • Show how the vulnerability impacts user data or system integrity.
5. Impact Analysis:
   • Explain the real-world consequence of an attack.
   • Specify which data could be exposed or manipulated.
6. Proposed Remediation (Optional):
   • Suggest possible fixes or mitigations.
   • While not mandatory, solution-oriented feedback is appreciated.
7. Disclosure Confirmation:
   • Confirm that the vulnerability has not been publicly shared and will remain private until resolved.
8. Reporter Information:
   • Full name (or handle).
   • Additional contact details (GPG key, if applicable).

Submission Process

• Reports must be sent via Investing.com’s official customer support portal or designated email with the subject: “Bug Bounty Report – [Short Title]”.
• Incomplete reports or those lacking PoC may be returned for revision.

Rules of Engagement

• Do not perform any testing that could degrade or disrupt the service (e.g., DDoS, spam, brute-force attacks).
• Do not engage in social engineering or phishing against Investing.com employees or users.
• Do not attempt lateral movement within our infrastructure beyond the vulnerability discovered.
• Response times may vary depending on complexity and workload—please be patient.

Triage and Response Process

1. Submission Acknowledgment: An auto-response with a tracking ID is sent upon receiving the report.
2. Triage & Initial Assessment: Our security engineers validate the report, confirm its scope, and assess its severity.
3. Collaboration with Researcher: If necessary, we will request additional details or clarifications.
4. Remediation: The issue is escalated to our development team for patching and mitigation.
5. Reward Decision & Payment:
   • Once verified and resolved, the final bounty is determined based on severity and impact.
   • Payments are issued via PayPal to the researcher’s provided email 
     
     

Frequently Asked Questions (FAQ)

Q: What if the vulnerability has minimal or no real-world impact?
A: Please provide clear justification of potential harm. Low-impact or theoretical issues may not qualify for rewards and could be marked as “Informative” or “Not Applicable.”

Q: Can I disclose the bug after it's patched?
A: Only after Investing.com confirms the fix is deployed and provides written permission. Unauthorized public disclosure may disqualify your submission.

Q: How soon can I expect a response?
A: We aim to respond as quickly as possible, but timelines vary depending on report complexity and internal workload.

Thank you for helping us enhance our security!

Got more questions?
We hope you found the answers you were looking for. In case you are looking for further information, please use our Livechat .