Payoneer
Payoneer looks forward to working with the security community and welcome your participation in our program aimed at identifying potential security vulnerabilities related to Payoneer’s products or website (the “Program”), in order to keep our business and customers safe and protected.
Below is our policy and applicable terms and conditions for participation in the Program (the “Policy”). In order to be eligible for awards granted under the Program and to enjoy the safe harbor granted to fully compliant participants, you are required to meet all terms of this Policy.
By reporting a security vulnerability to Payoneer via HackerOne, you acknowledge that you have read and agree to our Policy below.
Payoneer will make best efforts to meet the following SLAs for Program participants:
| Type of Response | SLA in business days |
|----------|--------------------|
| First Response | 2 days |
| Time to Triage | 2 days |
| Time to Bounty | 14 days |
| Time to Resolution | Depends on severity and complexity |
Payoneer will make reasonable efforts to keep you informed about progress made with respect to your reported vulnerabilities.
To be eligible for participation in our Program, you must be of legal age and in addition must not:
Be a resident of, or submit your vulnerability reports from, a country against which the United States has issued export sanctions or other trade restrictions;
Be in violation of any national, state, or local law or regulation;
Be employed by Payoneer Global Inc. or any of its subsidiaries or an immediate family member of such person
Only vulnerabilities determined as a valid security issue by Payoneer’s security team may be eligible for an award, subject to full compliance of the participant with the terms of this Program. Payoneer’s security team shall have the right to determine if any reported vulnerability is eligible for an award under this Program
You need to show that you could exploit a vulnerability, but avoid causing any damage. You must not: access, modify, copy, download, delete, compromise or otherwise misuse any data; access non-public information without authorization; intentionally view or access any data beyond what is reasonably required to prove the vulnerability; degrade, interrupt or deny services to our users; and/or incur loss of funds that are not your own.
Submit one vulnerability per report, unless you need to chain vulnerabilities to reflect aggregative impact.
When duplicates occur, we only award the first report that was received with respect to the same vulnerability (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be eligible for one award.
Any type of social engineering (e.g. phishing, vishing, smishing) is strictly prohibited and vulnerabilities detected based on such conduct will not be eligible for awards.
Participants are required to avoid privacy violations, processing of any personal data, destruction of data, and interruption or degradation of Payoneer’ services.
Only use accounts you own and do not interact with other users’ accounts or data without explicit permission of the account holder.
Rewards for reported eligible vulnerabilities may be granted based on Payoneer’s sole discretion and subject to applicable laws, including without limitation anti-money laundering obligations and sanctions. The amount of each reward will be determined by Payoneer in its sole discretion.
You will be responsible for any tax implications related to any award you receive, as determined by the laws applicable to you.
As a condition for your participation in the Program, you hereby waive any and all claim or demands of any nature in connection with or arising from any vulnerability report you submit.
Any information you receive or collect about Payoneer or any of its users must be kept confidential and only used in connection with this Program for the purpose of submitting a vulnerability report. Without derogating from the aforesaid and as condition for your participation in the Program, you agree that you may not: (i) publicly disclose any of your findings or any details related to any vulnerability you detect (whether resolved or not) to any third party without Payoneer’s prior written approval; (ii) disclose the terms of this Program or its existence without Payoneer’s prior written approval.
Please follow HackerOne's disclosure guidelines.
Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Rate limiting or bruteforce issues on non-authentication endpoints
Missing best practices in Content Security Policy.
Missing HttpOnly or Secure flags on cookies
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
Tabnabbing
Open redirect - unless an additional security impact can be demonstrated
Issues that require unlikely user interaction
We will not take legal action against you in relation to activities conducted in a manner fully consistent with the rules described in this Policy, and which are reported to Payoneer under this Program.If legal action is initiated by a third party against you in connection with activities conducted in compliance with this Policy, we will take such reasonable steps to make it known that your actions were conducted under the Program.
The Program may be changed, altered or cancelled by Payoneer at any time, without any notice. As such, Payoneer may amend this Policy at any time by posting a revised version. By continuing to participate in the Program after such changes are posted, you accept and agree to the modified terms.
Thank you for helping keep Payoneer and our users safe.
| Scope Type | Scope Name |
|---|---|
| web_application | *.payoneer.com |
| Scope Type | Scope Name |
|---|---|
| web_application | register.payoneer.com |
| web_application | explore.payoneer.com |
| web_application | tracks.payoneer.com |
| web_application | affiliates.payoneer.com |
| web_application | community.payoneer.com |
| web_application | blog.payoneer.com |
This program crawled on the 2022-01-26 is sorted as bounty.
FireBounty © 2015-2024
