Submit A Vulnerability Report


This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities directed at Recoup web and mobile properties and submitting discovered vulnerabilities to Recoup.


Maintaining the security of our networks is a high priority at the Recoup. Our information technologies provide critical services to Recoup members, financial institutions and contractors. Ultimately, our network security ensures that we can accomplish our missions to help consumers.

The security researcher community regularly makes valuable contributions to the security of organizations and the broader Internet, and Recoup recognizes that fostering a close relationship with the community will help improve our own security. So if you have information about a vulnerability in a Recoup website or mobile application, we want to hear from you!
Information submitted to Recoup under this policy will be used for defensive purposes – to mitigate or remediate vulnerabilities in our networks or applications, or the applications of our vendors.

This is Recoup’s initial effort to create a positive feedback loop between researchers and Recoup – please be patient as we refine and update the process.
Please review, understand, and agree to the following terms and conditions before conducting any testing of Recoup networks and before submitting a report. Thank you.


Any public-facing website owned, operated, or controlled by Recoup, including web mobile hosted on those sites.

How to Submit a Report

Using the form below, please provide a detailed summary of the vulnerability, including: type of issue; product, version, and configuration of software containing the bug; step-by-step instructions to reproduce the issue; proof-of-concept; impact of the issue; and suggested mitigation or remediation actions, as appropriate.

By clicking “Submit” you are indicating that you have read, understand, and agree to the guidelines described in this policy for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to Recoup information systems, and consent to having the contents of the communication and follow-up communications stored on Recoup’s information system.


  • Recoup will deal in good faith with researchers who discover, test, and submit vulnerabilities or indicators of vulnerabilities in accordance with these guidelines:
    Your activities are limited exclusively to –
    (1) Testing to detect a vulnerability or identify an indicator related to a vulnerability; or
    (2) Sharing with, or receiving from, Recoup information about a vulnerability or an indicator related to a vulnerability.
  • You do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
  • You avoid intentionally accessing the content of any communications, data, or information transiting or stored on Recoup information system(s) – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
  • You do not exfiltrate any data under any circumstances.
  • You do not intentionally compromise the privacy or safety of Recoup personnel (e.g. civilian employees or military members), or any third parties.
    You do not intentionally compromise the intellectual property or other commercial or financial interests of any Recoup personnel or entities, or any third parties.
  • You do not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving explicit written authorization from Recoup.
  • You do not conduct denial of service testing.
  • You do not conduct social engineering, including spear phishing, of Recoup personnel or contractors.
  • You do not submit a high-volume of low-quality reports.
    If at any point you are uncertain whether to continue testing, please engage with our team.

What You Can Expect From Us

  • We take every disclosure seriously and very much appreciate the efforts of security researchers. We will investigate every disclosure and strive to ensure that appropriate steps are taken to mitigate risk and remediate reported vulnerabilities.
  • Recoup remains committed to coordinating with the researcher as openly and quickly as possible. This includes:
    Within three business days, we will acknowledge receipt of your report. Recoup’s security team will investigate the report and may contact you for further information.
  • To the best of our ability, we will confirm the existence of the vulnerability to the researcher and keep the researcher informed, as appropriate, as remediation of the vulnerability is underway.
  • We want researchers to be recognized publicly for their contributions if that is the researcher’s desire. We will seek to allow researchers to be publicly recognized whenever possible. However, public disclosure of vulnerabilities will only be authorized at the express written consent of Recoup.

Information submitted to Recoup under this policy will be used for defensive purposes – to mitigate or remediate vulnerabilities in our networks or applications, or the applications of our vendors.

Claim your bank fee refund

Become a Recoup Member in less than 1 minute. We have your back. Guaranteed.

4.8 out of 5 stars, Recoup Member Survey

Apple App StoreApple App Store
★★★★★ 4.7 out of 5 average stars on Apple and Google Play App Stores

Refunds are not guaranteed, vary on a case-by-case basis, and are the final decision of your financial institution. Recoup makes no representation that we will file a refund claim for any or all fees. We make no representation that we will file claims during any regular interval. The type and frequency of claims filing is at our sole discretion based on our experience and expertise with any number of variables including, but not limited to, your bank, your fee history, and past successful refund history.

If your account does not qualify for a free claim, you may be offered the opportunity to file a claim for a fee, in addition to, commissions on successful refunds.

Security is essential to everything we do at Recoup. Separate access controls are enforced at each layer of infrastructure. Multi-factor authentication is required for access to our infrastructure. All applications and user access logs are stored centrally and monitored. Recoup’s infrastructure regularly undergoes both internal and external network penetration tests, and third-party code reviews. Our technology has also completed a SOC 2 report. Recoup’s platform allows client requests using strong TLS protocols and ciphers. Communication between infrastructure and financial institutions is transmitted over encrypted tunnels. All client communication with banks utilize cryptographically hashed headers and timestamps to verify authenticity.

Third party information provided for product features, communications, and communications emanating from social media communities, email, data and other information available through Riddlic, Inc dba Recoup are meant for informational purposes only and are not intended as an offer or solicitation for the purchase or sale of any financial instrument or cryptocurrency or as an official confirmation of any transaction.

The information provided is not warranted as to completeness or accuracy and is subject to change without notice. Any information about the Recoup platform, e-mails, or any other communications, are meant for informational purposes only and are not intended as an offer, solicitation, or advertisement for Recoup or any goods or services offered by Recoup or third parties. The Recoup website provides its users links to social media sites and email. The linked social media and email messages are pre-populated. However, these messages can be deleted or edited by users, who are under no obligation to send any pre-populated messages. Any comments or statements made herein do not reflect the views of Riddlic, Inc. or Recoup, or any of their subsidiaries or affiliates.

Refunds Final Decision of Your Financial Institution REFUNDS NOT GUARANTEED Refund Amounts Vary