Stripe
The Stripe Bug Bounty Program Terms and Conditions ("Terms") governs your participation in the Stripe Bug Bounty Program (the "Program"). These Terms are between you and Stripe ("Stripe," "us," or "we"). By submitting any vulnerabilities to Stripe or otherwise participating in the Program in any manner, you accept these Terms.
Participants must be at least 18 years old.
Stripe employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.
You are prohibited from participating in the program if you are a resident of any U.S. embargoed jurisdiction, including, but not limited to, Iran, North Korea, Cuba, the Crimea region, and Syria; or if you are on the U.S. Treasury Department's list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List. By participating in the program, you represent and warrant that you are not located in any such country or on any such list.
Those who meet the eligibility requirements above and discover a potential security finding within Stripe products or services can submit a report to the Program.
Your participation in our program is voluntary and subject to the following:
You must include a working Proof of Concept.
You must not threaten or try to extort Stripe.
You must not access, modify, copy, download, delete, compromise, or otherwise misuse others’ data.
You must not access non-public information without authorization.
You must not degrade, interrupt, or deny services to our users.
You must not incur loss of funds that are not your own.
If you are performing research, you must use your own accounts and not interact with other users’ accounts or data.
You must not leverage the existence of a vulnerability or access to sensitive or confidential data to make threats, extortionate demands, or ransom requests.
Your testing must not violate any applicable laws or regulations.
You will be responsible for any tax implications related to any bounty payment you receive, as determined by the laws of your jurisdiction.
By reporting a vulnerability, you grant Stripe and its affiliates a perpetual, irrevocable, worldwide, royalty-free license to use, copy, adapt, develop, create derivative work from, or share your submission for any purpose. You waive all claims, including breach of contract or implied-in-fact contract, arising out of your submission.
By reporting a vulnerability, you agree to allow HackerOne to share with Stripe the personal information that you provide to HackerOne relating to your tax forms so that Stripe can perform compliance checks.
Whether to provide a payment for the disclosure of a bug and the amount of the payment is entirely at our discretion.
Only the earliest, responsibly-disclosed submission of a vulnerability instance with enough actionable information to identify the issue will be marked as valid. All other reports for a given issue will not be eligible for a reward under our program.
After a submission is sent to Stripe in accordance with the Rules of Engagement described above, Stripe engineers will review the submission and validate its eligibility. The review time will vary depending on the complexity and completeness of your submission, as well as on the number of submissions we receive.
Stripe retains sole discretion in determining which submissions are qualified. If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first eligible submission. If a duplicate report provides new information that was previously unknown to Stripe, we may award a differential to the person submitting the duplicate report. Stripe will also reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both researchers.
You must create your own account using a HackerOne email address (username@WeAreHackerOne.com) to help us track security research activity.
When opening your own merchant account, please add “bug-bounty” to the end of the merchant name.
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.
Below are some examples of issues that are out of scope for the Stripe Bug Bounty Program:
Account squatting by preventing users from registering with certain email addresses
Attacks requiring MITM or physical access to a user's device
Best practice reports without a valid exploit (e.g., use of "weak" TLS ciphers)
Clickjacking on pages with no sensitive actions
Comma Separated Values (CSV) injection without demonstrating a vulnerability
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Denial of service
Disclosure of server or software version numbers
Hypothetical subdomain takeovers without supporting evidence
Issues that are premised on unlikely user interaction
Missing best practices in Content Security Policy
Missing best practices in SSL/TLS configuration
Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Missing HttpOnly or Secure flags on cookies
Open redirect - unless an additional security impact can be demonstrated
Perceived security weaknesses without concrete evidence of the ability to compromise a user (e.g., missing rate limits, missing headers, etc.)
Previously known vulnerable libraries without a working Proof-of-Concept
Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis
Rate limiting or bruteforce issues on non-authentication endpoints
Reports exploiting the behavior of, or vulnerabilities in, outdated browsers
Reports of spam
Self-XSS
Session invalidation or other improved-security related to account management when a credential is already known (e.g., password reset link does not immediately expire, adding MFA does not expire other sessions, etc.)
Social engineering
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
Tabnabbing
Unconfirmed reports from automated vulnerability scanners
User/merchant enumeration
Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version)
By participating in this program, you agree not to publicly or privately disclose the contents of your submission, your findings, your communications with Stripe related to your participation in the Program, or any facts you have learned about Stripe in the course of your participation in the Program to any third parties without Stripe’s prior written approval. There are no exceptions.
You must never attempt to access personal data that belongs to others, whether by exploiting a vulnerability or not. If, during your testing, you interacted with or obtained access to personal data of others, you must:
Stop your testing immediately and cease any activity that involves the data or the vulnerability;
Do not save, copy, store, transfer, disclose, or otherwise retain the data; and
Alert Stripe immediately and support our investigation and mitigation efforts.
Failure to comply with this section will immediately disqualify any report from bounty award eligibility.
To protect your privacy, we will not, unless served with legal process or to address a violation of this policy:
Share your personally identifiable information with third parties
Share your research without your permission
Share your participation without your permission
Stripe reserves the right to disqualify you from participating in the Program if you violate the Rules of Engagement or other rules specified in this program policy, including the rules about disclosure.
We may change the Terms at any time. Participating in the Program after the changes become effective means you agree to the new Terms. If you don't agree to the new Terms, you must not participate in the Program.
If you wish to opt out of the Program, please contact us at security@stripe.com.
| Scope Type | Scope Name |
|---|---|
| android_application | com.stripe.android.dashboard |
| ios_application | 978516833 |
| other | Stripe Payments |
| other | Stripe Checkout |
| other | Stripe Connect |
| other | Stripe Terminal |
| other | Stripe Billing |
| other | Stripe Elements |
| other | Stripe Dashboard |
| other | Stripe Issuing |
| other | Stripe Radar |
| other | Stripe Sigma |
| other | Stripe Atlas |
| other | Stripe SDKs |
| other | Stripe Open Source |
| web_application | api.stripe.com |
| web_application | *.stripe.com |
| web_application | *.payable.com |
| web_application | *.touchtechpayments.com |
| web_application | *.indiehackers.com |
| web_application | js.stripe.com |
| web_application | api.taxjar.com |
| web_application | app.taxjar.com |
| web_application | *.getbouncer.com |
| web_application | *.recko.io |
| web_application | *.reckoproduction.com |
| web_application | *.reckostaging.com |
| web_application | *.link.co |
| web_application | www.stripe.partners |
Firebounty have crawled on 2021-07-29 the program Stripe on the platform Hackerone.
FireBounty © 2015-2024
