Security Experts:

Connect with us

Hi, what are you looking for?



Western Union Launches Public Bug Bounty Program

Financial services and communications company Western Union has launched a public bug bounty program via the Bugcrowd platform. Researchers who identify serious security issues can earn up to $5,000 per bug.

Financial services and communications company Western Union has launched a public bug bounty program via the Bugcrowd platform. Researchers who identify serious security issues can earn up to $5,000 per bug.

Western Union had been running a private vulnerability disclosure program on Bugcrowd since early 2014. However, the company has now decided to make its program public to allow all of the 15,000 researchers who have signed up on the crowdsourced security testing platform to report flaws.

The new public bug bounty program covers all of Western Union’s main domains, including,,, and

However, the company has highlighted that these websites are variations of a single core Web application. This means that a vulnerability identified in one domain can likely be reproduced on other domains as well, but it will be eligible for a single reward.

For the time being, Western Union’s blog ( is not available for testing as it is being transitioned to new servers.

Experts who report eligible vulnerabilities can earn between $100 and $5,000 per bug. It’s worth noting that several types of security issues are not eligible for a bounty, including descriptive error messages, brute-force attacks on the login and password reset pages, clickjacking, self-XSS, cross-site request forgery (CSRF) on pages available to anonymous users, logout CSRF, and flaws related to SSL settings.

“[Bugcrowd’s] testers dig deep in their testing. Not only will they take a URL and test it for many days, but they have also found what other systems have not identified. No system can be proven to have zero vulnerabilities, so continuous testing at this level of depth is great,” said David Levin, Western Union’s director of information security.

Researchers who take part in Western Union’s bug bounty program must keep in mind that they need to obtain explicit permission before publicly disclosing the vulnerabilities they find.

“Traditionally, financial institutions have been slow to adopt the crowdsourced security model, but the online world has grown so quickly and the cyberattacks against consumers have been so aggressive, it’s clear the risk isn’t going away,” said Casey Ellis, CEO and co-founder of Bugcrowd. “We’re thrilled to support Western Union both in their efforts to scale and manage their bug bounty program, and as they continue to pioneer the way for financial institutions of all sizes.”

Western Union is not the only major brand to launch a vulnerability disclosure program this month. Adobe announced a program through HackerOne, but the company isn’t offering any monetary rewards. Instead, researchers who find flaws can boost their HackerOne reputation score.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.