Program Overview
Oportun runs a vulnerability disclosure program on HackerOne. The program has 44 in-scope assets and is managed by HackerOne's triage team.
44
In-Scope Assets
15h
Avg Response
100%
Efficiency
In-Scope Assets
| Asset | Type | Max Severity | Eligible |
|---|---|---|---|
| api.digit.co | URL | Critical | No Bounty |
| aplica.oportun.com | URL | Critical | No Bounty |
| apollo.oportun.com | URL | Critical | No Bounty |
| apply.oportun.com | URL | Critical | No Bounty |
| awsqa12.progressfinservices.com | URL | Critical | No Bounty |
| awsqa13.progressfinservices.com | URL | Critical | No Bounty |
| awsqa7.progressfinservices.com | URL | Critical | No Bounty |
| build.jenkins.progressfinservices.com | URL | Critical | No Bounty |
| callback.oportun.com | URL | Critical | No Bounty |
| collections.oportun.com | URL | Critical | No Bounty |
| corp-fileshare.oportun.com | URL | Critical | No Bounty |
| db-prod-redshift-cluster.oportun.com | URL | Critical | No Bounty |
| digit-gateway-prod1.oportun.com | URL | Critical | No Bounty |
| digit.co | URL | Critical | No Bounty |
| docusign-qa12.progressfinservices.com | URL | Critical | No Bounty |
| docusign-qa13.progressfinservices.com | URL | Critical | No Bounty |
| exchange-admin.oportun.com | URL | Critical | No Bounty |
| help.oportun.com | URL | Critical | No Bounty |
| http://account.oportun.com/ | URL | Critical | No Bounty |
| https://account.oportun.com/login | URL | Critical | No Bounty |
| https://account.oportun.com/services | URL | Critical | No Bounty |
| https://oportun.com | URL | High | No Bounty |
| investor.oportun.com | URL | Critical | No Bounty |
| kiosk.oportun.com | URL | Critical | No Bounty |
| loan.oportun.com | URL | Critical | No Bounty |
| loans.oportun.com | URL | Critical | No Bounty |
| locations.oportun.com | URL | Critical | No Bounty |
| mariadb-analytics-pa-db-1-a.oportun.com | URL | Critical | No Bounty |
| mariadb-data-db-1-a.oportun.com | URL | Critical | No Bounty |
| mariadb-data-db-2-a.oportun.com | URL | Critical | No Bounty |
| mysql-analytics-db-1-a.oportun.com | URL | Critical | No Bounty |
| offers.oportun.com | URL | Critical | No Bounty |
| office365.oportun.com | URL | Critical | No Bounty |
| online-origination-sec-2615.dev.pfops.com | URL | Critical | No Bounty |
| online-origination.1.app.stage | URL | Critical | No Bounty |
| online-origination.1.app.stage.pfops.com | URL | Critical | No Bounty |
| operations.oportun.com | URL | Critical | No Bounty |
| oportun.com | URL | Critical | No Bounty |
| postgres-prod-analytics-db-1-a.oportun.com | URL | Critical | No Bounty |
| press.oportun.com | URL | Critical | No Bounty |
| redshift-dev-cluster.oportun.com | URL | Critical | No Bounty |
| redshift-prod-cluster.oportun.com | URL | Critical | No Bounty |
| rewardredeem.oportun.com | URL | Critical | No Bounty |
| services.oportun.com | URL | Critical | No Bounty |
Out-of-Scope Assets
- admincloud.oportun.com
- betaesxi.oportun.com
- blog.oportun.com
- blogdev.oportun.com
- blue.oportun.com
- careers.oportun.com
- citrix.oportun.com
- cms2.oportun.com
- creditcard.oportun.com
- creditcards.oportun.com
- dev.oportun.com
- dev2.oportun.com
- develop.oportun.com
- devops.oportun.com
- devopsprod.oportun.com
- devpress.oportun.com
- dl.oportun.com
- email.oportun.com
- fileshare.oportun.com
- firstlook.oportun.com
Tips for Hacking Oportun
- Read the policy — Understand what's in scope, out of scope, and any specific testing restrictions before you start.
- Enumerate the attack surface — Use subdomain enumeration and directory bruteforcing to map all accessible endpoints.
- Focus on high-impact bugs — Look for SQL injection, SSRF, and IDOR vulnerabilities first.
- Test authentication flows — Check for OAuth misconfigurations and CSRF in login/signup flows.
- Write clear reports — Include steps to reproduce, impact assessment, and suggested remediation. Use Burp Suite to capture evidence.
Frequently Asked Questions
How do I start hacking Oportun?
Sign up on HackerOne, read the program policy carefully, review the in-scope assets listed above, and start testing. Always stay within scope and follow responsible disclosure guidelines.
Does Oportun pay bounties?
No, Oportun runs a Vulnerability Disclosure Program (VDP) without monetary rewards. You may receive recognition or swag.
What types of vulnerabilities does Oportun accept?
Oportun accepts reports for vulnerabilities found in their 44 in-scope assets. Common accepted vulnerability types include XSS, SQL injection, SSRF, IDOR, authentication bypass, and RCE. Check the program policy for specific exclusions.