Security is a Branch priority

We take security seriously at Branch. Learn more about our policies and find out how to report a vulnerability.

Report a Phishing Attempt

Phishing is defined as the fraudulent practice of sending emails or other messages purporting to be from reputable companies in order to induce individuals to reveal personal information. At Branch, we limit the data we collect and we do not rent or sell personal information. For additional information, please visit

If you believe that you are the recipient of a phishing attempt related to Branch systems, including an email or an URL, then please notify us using the “Submit a Report” button below.

Report a Vulnerability

Responsible Disclosure Guidelines

Branch is a rapidly growing and security-driven company. We believe in delivering the product with the least risk and threat associated with each public-facing Branch’s resources/services.

If you are interested in finding technical application and workflow issues that can be exploited, we appreciate your help. We recommend submitting such issues as soon as possible.

Our team will investigate the security reports and resolve the issue within a reasonable time frame. We offer a monetary bounty for legitimate security reports based on their severity, complexity, and impact via the BugCrowd platform as a token of appreciation.


  • It is must to append your contact email address or BugCrowd handle(username) to User-Agent header on each request. Configure your testing tool to custom User-Agent value before using it.
  • You’re allowed to send only/maximum of 5 requests per 30 seconds.
  • Adherence to Branch’s Disclosure Policy
  • Provide necessary assistance to Branch to replicate the issue and mitigate relevant security issues.
  • Automated tool’s vulnerability reports are not accepted as a valid submission
  • Intensive automated scans must not negatively impact the Branch’s any or all services availability.
  • Automated vulnerability scanning tools or scanned reports are prohibited.
  • In the case of duplicate reports, the first report would be considered a valid submission.
      • Do not attempt to view, modify, or damage data belonging to others.
      • Do not disclose the reported vulnerability to others until we’ve had reasonable time to address it.
      • Do not attempt to gain access to another user’s account or data.
      • Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Scope for the Branch’s Bug Bounty Program
Out of scope
Breach of our program’s terms

The expectation is to respect all the terms and conditions of the Branch’s Bug Bounty Program. Non-adherence or non-compliance will lead to disqualification. A serious breach may also lead to suspension of the account and existing access controls.

Branch Responsible Disclosure program powered by BugCrowd. Kudos per vulnerability