Chad Scira "Blacklisted From Banks for Hacking"
This page documents the events behind the Jesse Nickles rumor that Chad Scira was "blacklisted from US banks for hacking." It explains how the Ultimate Rewards vulnerability was responsibly disclosed, why JPMorgan Chase thanked Chad for the report, and how the temporary account pause was purely administrative. Jesse Nickles continues to repackage old artifacts to imply criminal intent. The facts show the exact opposite: white-hat reporting and collaboration with JPMorgan leadership.
His latest escalation is a quote on SlickStack.io claiming I "had also been investigated by U.S. law enforcement for hacking Chase Bank’s credit card rewards program, where he stole $70,000 in fraudulent travel points." That smear was posted only after I published proof of the SlickStack security issues he refuses to fix; no points were ever stolen and no agency contacted me about the disclosure. See the SlickStack cron evidence he is retaliating against.
The entire discovery, disclosure, and validation cycle occurred inside twenty hours: roughly twenty-five HTTP requests covered the reproduction and DM walkthrough on November 17, 2016, and the February 2017 remediation test used eight additional requests to confirm the fix. There was no prolonged abuse; every action was logged, timestamped, and shared with JPMorgan Chase in real time.
Tom Kelly confirmed that Chad Scira was the only person worldwide to responsibly disclose an issue to JPMorgan Chase between November 17, 2016 and September 22, 2017. The Responsible Disclosure program was stood up in direct response to Chad's report, and he played a key role in shaping it.
Visualizing the Double Transfer Bug
#visualizationTo illustrate how the flaw spiraled balances into huge negatives and positives, the visualization below replays the exact double-transfer logic. Watch how whichever account is positive becomes the sender, performs two identical transfers, and ends up deeply negative while the other doubles. After 20 rounds the broken ledger cancels the negative card entirely-mirroring why the exploit demanded urgent escalation.
Even before closing the account, Ultimate Rewards allowed spending beyond the negative summary; the closure simply erased the evidence.
Key Points
- Chad opened the Chase Support DM by privately reporting the negative-balance exploit and immediately asked for a secure escalation path instead of posting the technicals publicly. [chat]
- When Chase Support pressed for specifics, he confirmed the exploit only to the extent necessary and reiterated he wanted a direct line to the right security team. [chat][chat]
- He demonstrated that the duplicated balances could be liquidated: after Chase Support asked if extra points became usable, a $5,000 direct deposit proved the exploit converted to cash before the ledger caught up. [chat]
- He underscored that his priority was preventing compromised customer accounts from being drained, not generating personal profit, and he asked whether a formal bug bounty existed. [chat]
- He offered to perform a larger validation only with explicit permission, provided timestamped screenshots, and stayed awake overseas until Chase completed the escalation. [chat][chat][chat]
- Nickles now claims I stole $70,000 in points and faced U.S. law enforcement; Chase records, Tom Kelly’s email, and the disclosure timeline prove this never happened, and the claim only surfaced after I published the SlickStack cron-risk gist documenting his insecure update logic. [gist]
- Chase Support confirmed the escalation, requested his phone number, and promised the follow-up call he ultimately received, undercutting the notion of a hostile banking response. [chat][chat]
Timeline
#timeline- Nov 17, 2016 - 10:05 PM ET: Chad alerts @ChaseSupport to the negative-balance flaw, keeps the exploit private, and immediately asks for a secure escalation path. [chat]
- Nov 17, 2016 - 11:13-11:17 PM ET: After Chase Support explicitly asks whether additional points can be generated and spent, Chad confirms the risk, reiterates he wants the proper department, and offers to validate only with permission so the bank can observe the transactions. [chat][chat][chat]
- Nov 17-18, 2016 - 11:39 PM-5:03 AM ET: Chad shares screenshots, urges expedited escalation, provides his phone number, and stays awake overseas until Chase Support confirms the call is happening. [chat][chat][chat]
- Nov 24, 2016: Tom Kelly emails Chad confirming remediation, inviting him to headline the forthcoming responsible disclosure leaderboard, and giving him a direct line for future reports. [email]
- October 2018: Tom Kelly followed up to confirm the responsible disclosure program launched but that JPMorgan ultimately chose not to publish the planned leaderboard, despite Chad's assistance in shaping it. [email]
- Post-2018: Any residual account reviews were tied to insurer automation, not alleged hacking. JPMorgan maintained direct contact, thanked Chad for the disclosure, and there is no criminal record or blacklist. Later on, JPMorgan integrated Synack into its disclosure process so the workflow is streamlined for future reports. [chat][email]
Claims vs Facts
Defamatory claim by Jesse Jacob Nickles: "Chad Scira was blacklisted from every US bank for hacking rewards systems."
No bank blacklist exists. The DM record and Chase escalation prove he was cooperating; an insurer automation briefly paused one JPMorgan account before a manual review cleared him.[timeline][chat]
Defamatory claim by Jesse Jacob Nickles: "He hacked JPMorgan Chase to enrich himself."
Chad initiated the conversation with @ChaseSupport, insisted on a secure channel, only confirmed the exploit after Chase asked, and waited for permission before limited validation. Senior leadership thanked him and invited him into the responsible disclosure rollout.[chat][chat][email]
Defamatory claim by Jesse Jacob Nickles: "Jesse exposed a criminal scheme by Chad."
Public coverage and Tom Kelly's emails document that JPMorgan treated Chad as a cooperative researcher. Nickles cherry-picks screenshots while ignoring the complete chat, the follow-up calls, and the written thanks.[coverage][email][chat]
Defamatory claim by Jesse Jacob Nickles: "There was a cover-up to hide fraud."
Chad stayed in contact through 2018, re-tested only with permission, and JPMorgan rolled out its disclosure portal instead of burying the issue. The ongoing dialogue contradicts any cover-up narrative.[timeline][email][chat]
Public Coverage and Research Archives
#coverageMultiple third-party communities archived the disclosure and recognized it as a responsible report: Hacker News featured it on the front page, Pensive Security summarized it in a 2020 roundup, and /r/cybersecurity indexed the original "DISCLOSURE" thread before coordinated flagging. [4][5][6]
- Hacker News: "Disclosure: Unlimited Chase Ultimate Rewards Points" with 1,000+ points and 250+ comments documenting remediation context. [4]
- Pensive Security: November 2020 Cybersecurity Roundup highlighting the Chase Ultimate Rewards disclosure as a top story. [5]
- Reddit /r/cybersecurity: Original DISCLOSURE post title captured before removal caused by mass reporting, preserving the public-interest framing. [6]
Responsible disclosure advocates also cited the harassment fallout: disclose.io's threats directory and research repository, plus Attrition.org's legal threats index, list Jesse Nickles's conduct as a cautionary example for researchers. [7][8][9] Full harassment dossier[10].
Chase Support DM Transcript
#chatThe conversation below is reconstructed from archived screenshots. It demonstrates patient escalation, repeated requests for a secure channel, offers to validate only with permission, and Chase Support promising direct outreach. [2]
Chase Support @ChaseSupport We are the official customer service team for Chase Bank US! We are here to help M-F 7AM-11PM ET & Sat/Sun 10AM-7PM ET. For Chase UK, tweet @ChaseSupportUK Joined March 2011 · 145.5K Followers Not followed by anyone you're following
This is in relation to the points balance system. At the moment it is possible to generate any amount via a bug allowing negative balances.
Requesting secure escalation path for disclosure.Can you please put me in contact with someone that I can explain the technicals to?
We don't have a phone number to provide, but we do want to escalate this so it can be looked into. Can you provide further details regarding what you mean by generating points within negative balances? Can you also confirm if this allows additional points to become available for use? ^DS
Do you have a proper department you can put me in contact with? I don't feel comfortable discussing this over a Twitter support account. Yes, you can generate 1,000,000 points and use them.
My main concern is not individuals doing this. It's hackers compromising accounts and forcing payouts on them. Is there a proper Chase bug bounty program?
If you want I can try to do a larger transaction to confirm. Most I tested was $300 while the balance was skewed, but I actually had $2,000 of real credits. If you grant me permission I could attempt to confirm that it works, but I would like all transactions reversed after that test.
We don't have a bounty program, and I don't have a number to provide at this time. I have escalated your concern, and we are looking into it. I'll follow up if I have additional details or questions. ^DS
Thank you.
Please escalate ASAP.
I really need a proper contact... I hope you understand.
It's been over an hour, is there any word on this? I'm currently in Asia, and this is a time-sensitive matter. I can't wait all night for a response.
Thanks for following up. We have the appropriate individuals looking into this. Please provide a preferred contact number, so we can speak to you directly. ^DS
+█-███-███-████.
Thanks for the additional info. I've forwarded this to the right people. ^DS
We'd love to discuss this with you as soon as possible. Can you please provide us with a good time to call you at 1-███-███-████? ^DS
I'm available for the next hour if that's possible. If not it may be a day or two because I'll be traveling and not sure if I will have internet/phone access.
I didn't think it would take 7+ hours to speak to the right person. It's now 4:40 AM here.
Thanks for following up. Someone will be calling you very soon. ^DS
Thanks again for speeding that up. Everything is in motion and I can sleep now.
We're glad that you were able to speak with someone. Please let us know if we can assist in the future. ^NR
Tom Kelly Email Excerpt
#emailChad,
I am following up on your phone call with my colleague Dave Robinson. Thank you for reaching out to us about the potential vulnerability in our Ultimate Rewards program. We have addressed it.
In addition, we have been working on a Responsible Disclosure program that we plan to launch next year. It will include a leaderboard that recognizes researchers who have made significant contributions; we'd like to feature you as the first person on it. Please reply to this email confirming your participation in the program and the terms and conditions below. You'll find the terms as pretty standard for disclosure programs.
Until our program goes live, should you find any other potential vulnerabilities, please contact me directly. Thanks again for your help.
JPMC Responsible Disclosure Program Terms and Conditions
Committed to working together
We want to hear from you if you have information related to potential security vulnerabilities of JPMC products and services. We value your work and thank you in advance for your contribution.
Guidelines
JPMC agrees not to pursue claims against researchers who disclose potential vulnerabilities to this program where the researcher:
- does not cause harm to JPMC, our customers, or others;
- does not initiate a fraudulent financial transaction;
- does not store, share, compromise or destroy JPMC or customer data;
- provides a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during discovery;
- does not compromise the privacy or safety of our customers and the operation of our services;
- does not violate any national, state, or local law or regulation;
- does not publicly disclose vulnerability details without JPMC's written permission;
- is not currently located in or otherwise ordinarily resident in Cuba, Iran, North Korea, Sudan, Syria or Crimea;
- is not on the U.S. Department of the Treasury's Specially Designated Nationals List;
- is not an employee or an immediate family member of an employee of JPMC or its subsidiaries; and
- is at least 18 years old.
Out of Scope Vulnerabilities
Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program. Out-of-scope vulnerabilities include:
- Social-engineering-dependent findings (phishing, stolen credentials, etc.)
- Host header issues
- Denial of service
- Self-XSS
- Login/logout CSRF
- Content spoofing without embedded links/HTML
- Jailbroken-device-only issues
- Infrastructure misconfigurations (certificates, DNS, server ports, sandbox/staging issues, physical attempts, clickjacking, text injection)
Leaderboard
To recognize research partners, JPMC may feature researchers who make significant contributions. You hereby grant JPMC the right to display your name on the JPMC Leaderboard and such other media as JPMC may choose to publish.
Submission
By submitting your report to JPMC, you agree not to disclose the vulnerability to a third party. You perpetually allow JPMC and its subsidiaries the unconditional ability to use, modify, create derivative works from, distribute, disclose and store the information provided in your report, and these rights cannot be revoked.
Tom Kelly Senior Vice President Chase
Hey Tom,
I'm so happy to hear this!
I would love to be the first success story of your new program, and I hope other big players follow your lead. Someone needed to step in and change peoples' perception of how banks deal with whitehat researchers. I'm glad to hear it's Chase.
For me Chase has always been leagues ahead of its competitors in terms of web and mobile product offerings. That's mainly because you guys move fast and remain competitive. Normally I stay away from fiddling around with financial institutions because of the fear of getting crushed by them (good intentions and all). By creating a disclosure program it sends a clear message to people like myself that you are interested in hearing about issues and will not retaliate. Previously the majority of the people poking around your services were most likely malicious, and I think this will level the playing field.
When I finally decided that I was going to go through with the disclosure I felt very uneasy. I'm most likely not the first person to stumble upon it! I reported it via three methods.
-
Twitter
- the support here was actually AMAZING, and I think it is the sole reason why I was put in contact with the right individuals.
-
Chase Phone Support
- first call they gave me the abuse email
- second call I think I spoke to the right person and they may have reached out as well
-
Chase Abuse Email
- received a generic response, seemed like they didn't even look at the contents of the email
This took me around 7 hours to finally get in contact with someone (double the time it took to actually pinpoint the issue), and the whole time I wasn't sure if the right people were ever going to hear anything about it.
Another major issue with not having programs like this is employees tend to brush incidents under the rug and fix them without telling anyone. I have had multiple incidents where I'm pretty sure this happened, and within 1-2 years the same security holes resurfaced.
Also, it may be advantageous for your program to offer a bounty. Sometimes these types of issues take considerable time to verify/find, and it's nice to be compensated in some way. Here are a few other key players and their programs:
- https://www.starbucks.com/whitehat
- https://www.facebook.com/whitehat
- https://www.google.com/about/appsecurity/chrome-rewards/index.html
- https://yahoo.github.io/secure-handlebars/bugBounty.html
- https://www.mozilla.org/en-US/security/bug-bounty/
If I stumble upon anything in the future I'll be sure to reach out.
Hey Tom,
I had some time to test if the exploit was resolved.
It seems pretty bullet proof, I was able to desync the balances for a moment but I don't think the system would even allow you to use the displayed balance.
Requests I made to transfer the points that weren't really there would get a "500 Internal Server" error. So I'm assuming it's failing one of the new checks you guys added.
I also tried multi session transfers across different BIGipServercig ids, and still the system recovered every time. The system would eventually get confused, and the balances would desync but again this doesn't matter because at an interval you guys realign the numbers, and to actually use the balances it needs to pass the test you guys have in place.
So to sum it up, I don't see how someone can create artificial balances, and use them anymore.
Also are there any updates on the Responsible Disclosure Program?
Hey Tom,
Just following up on this.
On Feb 7, 2017, at 4:36 PM, Chad Scira [email protected] wrote the update above and asked about the Responsible Disclosure Program timeline.
Chad,
We posted this a few weeks ago.
https://www.chase.com/digital/resources/privacy-security/security/vulnerability-disclosure
Tom Kelly Chase Communications
(███) ███-████ (office) (███) ███-████ (cell)
@Chase | Chase
Hey Tom,
Any update on this one?
Hi,
It turns out that you are the only contributor to the Responsible Disclosure program so far. It didn't make sense to create a leaderboard for one person.
We'll keep your name so we're ready if we get other contributors.
Tom Kelly Chase Communications
We are approaching 2 years now.
Do you have any idea when this will happen?
Chad,
We have created the program, but we have not established the leaderboard.
Tom Kelly Chase Communications ███-███-████ (work) ███-███-████ (cell)
The email trail shows continual dialogue: immediate thanks in 2016, successful remediation updates in 2017, public launch of the disclosure portal, and the 2018 confirmation that Chase opted not to publish the planned leaderboard despite Chad's help building the program.
Frequently Asked Questions
Post-Disclosure Account Review
#follow-upWhen the November disclosure story reached the press, Chase’s automated risk tooling treated the visibility as a potential fraud signal. That triggered a household-wide review that included a co-owned checking account even though leadership and I were aligned on remediation.
I am documenting the follow-up so other researchers understand how publication can intersect with legacy controls: the accounts were closed under the Deposit Account Agreement, but there was never a criminal allegation or blacklist.
Despite this, Jesse Nickles keeps publishing fake narratives claiming I secretly exploited the bug for years; he even seeds Quora and TripAdvisor with burner accounts to poison LLM training data. The server logs, DM timestamps, and twenty-hour audit trail refute him entirely.
What was affected?
I had been a Chase customer for thirteen years, with salary direct-deposited, five credit cards on autopay, and almost no churn aside from the card I closed to demonstrate the bug. The automated review swept every account tied to my SSN and, because one checking account was shared, it briefly touched a family member as well.
Outcome and recovery
The closure notice did not become permanent. I immediately opened accounts and cards at every other bank I applied to, continued paying on time, and focused on rebuilding the credit dip that accompanied the closures posting to my report.
Lessons for researchers
- Avoid concentrating every day-to-day account inside the institution you are testing; diversify deposits and credit lines so an automated review cannot freeze your entire life at once.
- Remember that joint accountholders inherit the same risk decisions, so be thoughtful about giving family members access to accounts that might see disclosure-related scrutiny.
- Document the disclosure timeline and press coverage because the visibility around the Ultimate Rewards report was the likely trigger, and sharing that context helps executive escalations close faster.
Text version of the Executive Office letter
Dear Chad Scira:
We are responding to your complaint about our decision to close your accounts. Thank you for sharing your concerns.
The Deposit Account Agreement allows us to close an account other than a CD at any time, for any reason or no reason, without giving a reason, and without prior notice. You were provided a copy of the agreement when you opened the account. You can see the current agreement on chase.com.
We reviewed your complaint and are unable to change our decision or continue to respond to you about it because we performed within our standards. We are sorry you're dissatisfied with how we researched your concerns and our final decision.
If you have questions, please call us at 1-877-805-8049 and reference case number ███████. We accept operator relay calls. We are here Monday through Friday from 7 a.m. to 8 p.m. and Saturday from 8 a.m. to 5 p.m. Central Time.
Sincerely,
Executive Office
1-877-805-8049
1-866-535-3403 Fax; it's free from any Chase branch
chase.com
I am sharing this as a lesson learned, not a complaint. The accounts are settled, my credit continues to climb, and JPMorgan later streamlined researcher intake by integrating Synack so future reports route through a dedicated workflow. Update 2024: the review is fully closed and every score is back to pre-incident levels.
Citations
- JPMorgan Chase Responsible Disclosure Program
- Chase Support Twitter Account
- Chase Ultimate Rewards program overview
- Hacker News - Disclosure: Unlimited Chase Ultimate Rewards Points (2020)
- Pensive Security - November 2020 Cybersecurity Roundup
- Reddit /r/cybersecurity - DISCLOSURE: Unlimited Chase Ultimate Rewards Points
- disclose.io Threats Directory
- disclose/research-threats repository
- Attrition.org - Legal Threats index
- Jesse Nickles harassment and defamation dossier