Responsible Disclosure Program

Responsible Disclosure

Capital One is committed to the security of our systems and our customers’ information. We appreciate submissions by security researchers identifying potential security gaps in any product, service, or asset belonging to Capital One.

If you believe you have identified a potential security vulnerability, please submit it pursuant to our Responsible Disclosure Program. Thank you in advance for your submission, we appreciate researchers assisting us in our security efforts. Please note, Capital One does not have a public bug bounty program.

Responsible Disclosure Program Guidelines

Capital One will not pursue legal action against researchers who disclose potential vulnerabilities to Capital One in accordance with the following guidelines:

  1. Researcher does not engage in any activity that can potentially or actually cause harm to Capital One customers and employees.
  2. Researcher does not engage in any activity that can potentially or actually stop or degrade Capital One services or assets.
  3. Researcher does not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.
  4. Researcher does not store, share, compromise or destroy Capital One or customer data.
  1. Researcher does not initiate a fraudulent financial transaction.
  2. Researcher provides Capital One reasonable time to fix any reported issue, before such information is shared with anybody other than Capital One or made public.
  3. When reporting a potential vulnerability, researcher provides a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during discovery (screen captures welcome).

In return, Capital One commits to provide prompt acknowledgement of receipt of all reports (within two business days of submission) and to keep the researcher reasonably informed of the status of any validated vulnerability reported by the researcher through this program.

Out of Scope Vulnerabilities

Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program. Out-of-scope vulnerabilities include:

  • Physical Testing
  • Social Engineering
  • For example, attempts to steal cookies, fake login pages to collect credentials
  • Phishing
  • Denial of service attacks
  • Resource Exhaustion Attacks

Please submit your reports to: responsibledisclosure@capitalone.com