Our approach to security is designed to protect buyers and sellers. We monitor every transaction, continuously innovate in fraud prevention, and we protect businesses’ data like our business depends on it—because it does. We adhere to industry-leading standards to manage our network, secure our web and client applications, and set policies across our organization.
This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.
We are particularly interested in problems with Square’s payment flows. Confirmed vulnerabilities that directly affect our payments flows will receive a $500 minimum reward.
A Note on Similar Submissions:
We ask that researchers who are able to identify the same or similar types of
issues in multiple locations across one of our applications combine those
findings into a single submission that includes a description as well as the
various locations where vulnerabilities have been identified. This greatly
assists us in our triage process and allows us to process your submissions
faster. The combined submissions will be evaluated holistically and will
receive rewards corresponding to the collective findings. For example, if an
application is discovered to have broken access control on a number of API
endpoints, please submit a single submission that includes a list of those API
endpoints. If separate submissions are made, they may be inadvertently closed
as duplicates.
Last updated 24 Aug 2018 23:44:22 UTC
Technical severity | Reward range
---|---
p1 Critical | $5,000 - $5,000
p2 Severe | $2,500 - $2,500
p3 Moderate | $900 - $900
p4 Low | $300 - $300
P5 submissions do not receive any rewards for this program.
Target name | Type
---|---
*.square.com
| Website
*.squareup.com
| Other
*.cash.me
| Website
Cash App Mobile Application for Android
| Android
Cash App Mobile Application for iOS
| iOS
Square Point of Sale Mobile Application for Android
| Android
Square Point of Sale Mobile Application for iOS
| iOS
Target name | Type
---|---
Any vulnerabilities found in Third-party software
| Website
Any domain/property of Square not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
Squareup.com - Landing page for documentation/resources:
https://squareup.com/developers
Cash App for iOS : Here
Cash App for Android :
Here
Square Point of Sale for iOS :
Here
Square Point of Sale for Android :
Here
Please sign up for an account using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.
We've created an account with an email address as ftwr+[32 character
flag]@squareup.com
. Tell us how you found it, and you'll get a $1000 bounty.
The SHA1 digest of the flag is: b9559723b3fd537e368fdc5c221eef72dc2e8adc
.
Find a file called BUGCROWD-flag.txt with the contents containing ftwr+[32
character flag]
. Tell us how you found it, and you'll get a $1000 bounty.
The SHA1 digest of the flag is: 1fb27653e08cef9c6acdd520f2e9398ad3576549
.
To make sure you know that you have found the right flag, we are publishing
the digests of the flags by running echo [32 characters] | sha1sum
. You can
do the same on your terminal (you might need to install sha1sum
or use an
alternate method).
For example, if the value of the token were fb3f8fe63cc107c1977855c95633fb13
(it's not), then you would get:
~ echo -n fb3f8fe63cc107c1977855c95633fb13 | sha1sum
53aa4d47f93b76214834193baefb9c6e7d042c11 -
Some things to keep in mind when hunting for flags:
Square recognizes the important contributions the security research community can make. We encourage coordinated reporting of security issues with our services. We take the security of our services very seriously and monitor their use for indications of a malicious attack. In order to allow us to identify legitimate security research as opposed to malicious attacks against our services, we promise not to bring legal action against researchers who:
We ask that researchers who identify the same or similar types of issues in multiple locations throughout an application combine those findings into a single submission whose description includes the locations where the issues were identified. This greatly assists us in our triage process and allows us to process your submissions faster. The combined submission will be evaluated holistically and will be rewarded corresponding to the collective findings. For example, if an application is discovered to have broken access control on a number of API endpoints, please submit a single submission that includes a list of those API endpoints. If separate submissions are made, they may be inadvertently closed as duplicates.
Please submit any issue related to cryptocurrency to the Square program immediately. Square is eager to work with the community to make sure that every researcher finding related to cryptocurrency will be fairly rewarded given the vulnerability's impact on business and overall severity. This includes compensation that might be higher than what is advertised currently.
If you have data that you feel is particularly sensitive and would like to encrypt before sending it to our bug bounty, please use the following OpenPGP key for encryption:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2
mQENBFQKLngBCADIGP81CNlJK9AvC2aZI0fQU8Zq6i48Gj1KsV1HtSlvfTs1HDzD
VxOWSKAuof/K3fKAYzIUYis8l39gCnwIB1ozlseZz3cPkjnvlMc0wRTZ4fohyIxP
d4hs6atxAImUiQHErM1OI9UmXA1DX2lH3hz3w3wD0qBY/1c+qp/Tju0BZHLonion
C9n7AHv78Z3Fg1F/4xLAn0V7JMS7BSK0fp5s/hTHa3ZHYBsL/To7mZ9lmqx5XEiW
GXBMbqHQoBwK2ETywQMreuDIqn+HowkLJhMcW3ir+iKZfE3Z3HwP+v/RcyZvND0c
eKadqm0rd2INpH02nZeAC68Ac1o4D+GWaDoxABEBAAG0JVNxdWFyZSBJbmZvc2Vj
IDxpbmZvc2VjQHNxdWFyZXVwLmNvbT6JAT0EEwEIACcFAlQKLngCGwMFCRLMAwAF
CwkIBwMFFQoJCAsFFgMCAQACHgECF4AACgkQrhC6tawqxoqj0gf9EpM2UtkT6Vwa
/R7XzF6kn5LWKRUCY2Cqq2pKdC4aEsgE1TJfEWaz4VM2QuladYbdywRde8cauD2g
cABvebngzL70M8OeLkIRxNcmQUvuUY08dNjJcKAaAiIdVtVHat9u5fxo2vl+NbYM
09G04+8lfg8SoB+1P6Jb7Ia8OSW5o6SCtp2MJ7nXaqEOdEvXPRCHqhiifeOqq94j
pVe1DlTxHLZT+alhemB8Ax9NlyV7FU5i06890ZIaBBWUfKF5ZUAqUy9Juh/35U4a
bVqNy8jAS3OPkGEZjHcJj9dQAlgXrvxe+sqsSyUvJgByOSjV0dhHbO6Xgobc/EPB
xWKl7ECIrrkBDQRUCi54AQgAqI4ImtjxoCdM9RwCkHaoUjZPtVmVQah6/8W/DAm9
Gi3TFuQVWahq5FRMahGZ4HfhjJyY9X0STS04jRNjcRZVgD98wvoRyBfnuognRaS7
/vIwYRPwnJ5ipWkC9La0uivn+wmQYO1p3Lq5ZoH9RaxgGIpytZ7hTMK9zfXqJ899
HUXYhF7zOUdcMzHMukpybR7yiZTRpsbl8JoQtZ8aB8JQ0ML4ca0/7syqoH8F3aVV
MvYEnlGY1iy8npLzVUCDStLJxQ7290kSED8t0v0YNhOtkg7/bZEdNcB56bVJ6uTu
3j/ETuLwJN62dRInDSYfhGAewvg3QfrirGJfesYYuKBn4QARAQABiQElBBgBCAAP
BQJUCi54AhsgBQkSzAMAAAoJEK4QurWsKsaKnFUH/jMnMIEfuen/NQa3cVyburgj
Xai9KTyqjIQeXS2tnYWqNE5WfR/CSkJ4dJ6A4vsd4xacbQRw+feJkOOUUqUR6ZjM
CuUMN4k4DwAom7NKobLs+35Iam6ODgJIhQG/5zCvrtIbuKvoEVHfxY59LqIFB4tI
bclvS7mKQKkAGa7aVm6/ZqtSU5oV/ZqM2kawtE4vA3Yy0Woax9sqe9U3kD4mFUY+
f/GNmvtiUR/wddpUuTGY5gxitsYZB68zIlTd9UDmX3q2jqgF1ZdhacTKo95Aluy3
49+SyjPZcvCZyJhgiHBhWN2VbHuKDJYhmiaVN7Iyswzj6WWf/jUVrM1u0gJVY2C5
AQ0EVAoueAEIALWhKlYA3CZXnbgnI9CA2qZ5wq3wo5SeokHUpoJ1SF3wKXkhfrrK
Qg+3/CIcc6d0nVoiMEdB51XH5Ahse647bA93urz0IWMagR24JzYx7sXToBZ2jrdX
4/0Stp+GbhMRCRuK8ml2m46Vi+vhs3YkDmP+qpruyo5XLSRlTYYJKOVCqi75a84h
b9dZM7BGjPuyuuDS9wq1uq+G8mwfg5G5fIilVPxOuXJmsZqANfYZdatL4pCkudBn
EtHeJGVqcQLoeUCSyb7O5BEXvMp43P6N1Y9Q5tQlaXUwoF8R2Ni30/Rl4gzSDgzg
VB4MSZdDZLWn6ymDJOt+Mv+BVkyfa2QqGP8AEQEAAYkBJQQYAQgADwUCVAoueAIb
DAUJEswDAAAKCRCuELq1rCrGilqBCADD9T/5g3eQKSHHSbhbIjvACSqnIshc+EYS
o5U6DXEbdoqE9tad8enEJiuR2N+8X3DwvGLr+quX+tqHX7/FPnqp3kEU793uH4q6
7gdyqa4/RGMM3IjBktRrvW+UHHkXZf0VqBalsfDcC+bXxWljUzByDScOw5hsJuRM
3dRZdWHHrl2wIIAid+97Om73sLn1tm/2oq03aSbRmhRfOLjXF/QEErRipzFqI/kG
GzYX1BpwDCPDVIzjTN+eFUcsv/OwBy2EYayOzVmG/WjoO5EGt83eG+/JeLn6+GRy
6Lv8d1oHPpOq5dv9M80nhQ2s9C5o17WMcbUcZMKx95txnN/r09yb
=ptIx
-----END PGP PUBLIC KEY BLOCK-----
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
Scope Type | Scope Name |
---|---|
android_application | Cash App Mobile Application for Android |
android_application | Square Point of Sale Mobile Application for Android |
ios_application | Cash App Mobile Application for iOS |
ios_application | Square Point of Sale Mobile Application for iOS |
web_application | *.square.com |
web_application | *.squareup.com |
web_application | *.cash.me |
Scope Type | Scope Name |
---|---|
web_application | Any vulnerabilities found in Third-party software |
The public program Square on the platform Bugcrowd has been updated on 2019-10-17, The lowest reward is 300 $.
FireBounty © 2015-2019