Responsible disclosure program

Intuit is committed to ensuring the security of our services and customer information. As part of this commitment, we encourage security researchers to contact us to report any potential weaknesses identified in any product, system, or asset belonging to Intuit. This program isn’t intended to represent a public bug bounty program and we make no offers of reward or compensation for submitting potential issues. We appreciate your commitment to improving Intuit services.

Responsible disclosure guidelines

Security Researchers will disclose potential weaknesses in compliance with the following guidelines:

Do

  • Share the security issue with us before making it public (e.g., on message boards, mailing lists, or other forums).
  • Wait until we provide you notification that the vulnerability has been resolved before you disclose it to third parties. We're focused on the security of our customers and our systems, and some vulnerabilities take longer than others to address.
  • Provide a clear, concise description of the steps needed to reproduce any vulnerability you submit.
  • Provide the complete details related to the security issue, including proof-of-concept (POC) URL, as well as the details of the system(s) where tests have been conducted.

Don't

  • Don’t cause harm to Intuit, its customers, shareholders, partners or employees.
  • Don’t engage in any act that may cause an outage or stop any of Intuit’s services.
  • Don’t engage in illegal activities or any acts that violate any international laws or regulations, or federal or state laws or regulations.
  • Don’t store, share, compromise or destroy any Intuit data or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify Intuit.
  • Don’t conduct fraudulent activity or complete fraudulent financial transactions as part of your research.

Out-of-scope vulnerabilities

The following types of vulnerabilities are out of scope for this program:

  1. Phishing
  2. Social engineering
  3. Physical security assessments
  4. Any form of denial of service (DoS) attack

Submission guidelines

All potential weaknesses submitted must include enough information to reproduce and validate the issue. Documentation should include a detailed summary of the issue, targets, steps performed, screenshots, tools utilized, and any information that will help Intuit during triage.

By following these guidelines and responsibly disclosing any security weaknesses directly to Intuit, we agree not to pursue legal action against you. Intuit reserves its legal rights in the event of noncompliance with program guidelines.

HackerOne Program

Intuit uses the HackerOne platform to manage the Responsible Disclosure Program. If you're a security researcher with a bug you'd like to report, visit https://hackerone.com/intuit_rdp. If you are unable to submit through HackerOne, or wish to remain anonymous, you can use the Responsible Disclosure Form. Submissions will be forwarded to HackerOne for triage, be sure to review the policy and scope prior to submitting.

Please be aware this program is only intended for the submission of potential security vulnerabilities. We are unable to reply to submissions outside the scope of this program. If you have an issue with your Intuit account, product or service, or have other questions or concerns, please contact security@intuit.com.

Privacy and security notice

Intuit is committed to leveraging technology in a way that provides you transparency on how we collect, process, and share personal information. In accordance with the terms of the Intuit Privacy Statement you understand and agree that, by providing us with an inquiry or a submission, we may collect certain information about you, your device, and your use of the Intuit Platform and sites.