Reporting a security issue

CardUp cares deeply about our services, platform and infrastructure security. We encourage researchers and individuals from the security community to report your findings to us, and we are committed to working with you. If you discover a vulnerability, kindly let us know so that we can take the necessary measures to address it as quickly as possible.

How to report a security issue

You can report a suspected security issue by emailing Please include the following details to help us better understand the nature and scope of the issue.

  1. Date & time when the issue was discovered
  2. The URL(s) of the affected system
  3. All relevant headers & parameters used to demonstrate the risk against the CardUp app
  4. Operating system and browser, with version number, used for all
  5. Type of issue
  6. Step-by-step instructions to reproduce the issue
  7. Proof-of-concept or exploit code
  8. Impact of the issue, including how this could be exploited
  9. Screenshots of the successful exploitation, if possible
  10. Your name, email and any other contact details
  11. Any other information that will help us triage the report more quickly.

What CardUp will do

CardUp will...

  1. provide an initial acknowledgment of your security report.
  2. follow up with additional questions to ensure we fully understand the report and its potential impact.
  3. notify you about the progress of our analysis and verification, and any required remediation steps along the way.
  4. use the Common Vulnerability Scoring System (CVSS) — an industry-standard calculator — to determine the severity of the bug.
  5. take additional steps internally to remediate once your reported issue has been validated. You will be notified of the subsequent course of action.
  6. provide you with cash rewards or other financial incentives for the detection and resolution of the validated vulnerability — subjected to the type of reported issue (including but not limited to the impact, ease of exploitation and quality of the report).


We thank you for your time & expertise in improving the security of our company and customers. 



Here are other secondary security issues that you may report to us as well:

  • Same-site scripting, self-XSS, or clickjacking
  • CSRF that has no clear, practical security impact (e.g. Logout CSRF)
  • Security best practice concerns (e.g. weak password policy)
  • SSL/TLS best practices (e.g. weak cipher suites)
  • Missing HTTP Headers (e.g. lack of HSTS)
  • Email security best practices (e.g. DKIM, SPF, DMARC)
  • Reconnaissance or fingerprinting information that has no practical use for exploitation
  • Attacks that require physical access to the target’s device/operating system
  • Social engineering attacks that require users to be convinced to be compromised
  • Vulnerabilities related to deprecated and/or unsupported versions of software
  • Third-party integrations that default to fail-open/fail-safe behaviors
  • Static/dynamic code analysis results without verification provided of an actual risk