|Scope Type||Scope Name|
|web_application||Core Priceless.com - demo.priceless.com|
|web_application||Simplify Commerce - www.simplify.com/commerce/|
|web_application||MasterCard.us - www.mastercard.us/en-us.html|
|web_application||MasterCard.ch - (German) - www.mastercard.ch/de-ch.html|
|web_application||MasterCard.ch - (French) - www.mastercard.ch/fr-ch.html|
|web_application||MasterCard.ru - www.mastercard.ru/ru-ru.html|
|web_application||MasterCard.com.au - www.mastercard.com.au/en-au.html|
|web_application||MasterCard.nl - www.mastercard.nl/nl-nl.html|
|web_application||Order placement on demo.priceless.com|
Out of Scope
|Scope Type||Scope Name|
|api||All Available Mastercard Developer APIs|
MasterCard is a technology company in the global payments industry. We operate the world’s fastest payments processing network, connecting consumers, financial institutions, merchants, governments and businesses in more than 210 countries and territories. MasterCard products and solutions make everyday commerce activities – such as shopping, traveling, running a business and managing finances – easier, more secure and more efficient for everyone. For nearly half a century, MasterCard has been a leader in safety and security. As payment methods continue to evolve, MasterCard is committed to advancing digital security, which includes rigorous testing for potential vulnerabilities. You can help us make our products and services even safer and earn rewards by reporting potential vulnerabilities.
PLEASE NOTE: Due to GDPR and legal requirements. All testing must be conducted using your @bugcrowdninja.com email ID only. If you fail to use your @Bugcrowdninja.com email ID, you run the risk of getting blocked from accessing MasterCard applications.
Rewards will be facilitated through Payoneer ONLY (Setup payment methods)
For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Use of automated scanners and tools to find vulnerabilities is strictly not allowed. MasterCard requests that testers do not perform automated/scripted testing of web forms, especially "Contact Us" forms that are designed for customers to contact the Support team.
Target name | Type
Core Priceless.com - demo.priceless.com | Website
Simplify Commerce - www.simplify.com/commerce/ | Website
MasterCard.us - www.mastercard.us/en-us.html | Website
MasterCard.ch - (German) - www.mastercard.ch/de-ch.html | Website
MasterCard.ch - (French) - www.mastercard.ch/fr-ch.html | Website
MasterCard.ru - www.mastercard.ru/ru-ru.html | Website
MasterCard.com.au - www.mastercard.com.au/en-au.html | Website
MasterCard.nl - www.mastercard.nl/nl-nl.html | Website
<https://developer.mastercard.com> | Website
Order placement on demo.priceless.com | Website
donate.mastercard.com | Website
Target name | Type
All Available Mastercard Developer APIs | API
demo.priceless.com/golf | Website
demo.priceless.com/travel | Website
demo.priceless.com/standup | Website
Any domain/property of Mastercard not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
The following targets are explicitly out of scope and any submissions reported will be marked out of scope.
All vulnerabilities discovered and reported on other targets (including subdomains) will be accepted, but are not eligible for a reward at this time. These submissions will be marked "Not Applicable" to prevent negative ratings.
Known Issue: The Mastercard Payment Gateway Virtual Payment Client (VPC) API that uses the MD5 based cryptogram to provide an integrity check of request parameters contains a critical vulnerability that allows limited modification of those parameters without causing a change in the cryptogram value. This vulnerability is remotely exploitable and does not require authentication. Mastercard has assessed the severity as CVSS 7.5. Mastercard recommends all customers to update their integration to use the HmacSHA256 based cryptogram, which is not vulnerable to parameter tampering. We thank Yohanes Nugroho for his support to identify this security vulnerability to protect our customers.
Researchers are encouraged to create their own accounts by visiting this page: https://donate.mastercard.com/wfp/en-it.html and signing up. When signing up, please use the following credit card info:
Card number: 5333171009808520 Expiration: 09/20 CVC: 464
Simplify Commerce is a uniquely versatile, highly scalable and incredibly simple cloud-based payments platform from MasterCard. It works for card brands that the acquirer supports. Designed with the small business owner in mind, it’s a simple, easily integrated and dynamic platform that makes it a strong choice for businesses of all sizes.
Priceless Cities is a core tenet of MasterCard’s world-renowned 18 year-old Priceless marketing platform that is currently available in 112 countries and 53 languages. The platform provides exclusive curated experiences and special access in over 35 cities marketed in over 52 countries.
Mastercard Regional Websites
The regional MasterCard sites are the company’s external websites, which include public information available to unauthenticated users. The sites include outbound links to resources not hosted on the www.mastercard.com domain. Only the core MasterCard domain is in scope and open to testing. Please be mindful of which domain / sub domain you are testing.
The APIs for the developer portal are fully out of scope for this. You may either use an existing account, or create new users are needed using your @bugcrowdninja.com address.
Please create an account on your own using your @bugcrowdninja.com email address. Your 'bugcrowdninja' email address is your firstname.lastname@example.org. All emails will go to the email address associated with your account.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.