Rewarding security bugs in our open source projects

Square recognizes the important contributions the security research community can make. Part of keeping Square's customers safe is making sure that we find and fix any security issues in our open source projects. If you find any vulnerabilities in any of our participating open source projects, send us a report. Even better, send us a fix!

Note that this program is to report issues in our open source projects. If you believe you have discovered a security vulnerability in one of Square's domains (squareup.com, square.com, or cash.me) or mobile applications (Square Point of Sale, Square Cash App), please report them to our other Square bug bounty program.

Attributes of a good report

• Detailed explanation & proof-of-concept for the bug
• Include specific source code references for the issue from our GitHub
• Include repository, release version, branch and other information
• Describe the real-world impact/exploitability of the bug

Ineligible reports

• Issues related to software not under our control (such as external dependencies) are not eligible for a reward.
• Most of our open source development is publicly visible. Reports related to an issue being fixed in a branch or being tracked in a public way will therefore not be eligible for a bounty.
• Reports of issues without a proof-of-concept or clear path to exploitation. You may still report these, but will not be eligible for a monetary reward.
• Issues which can only be reproduced on specific combinations of hardware or software not used by Square.

How to send a fix

Please do not open a pull request or GitHub ticket to fix an issue you're reporting. This would unnecessarily reveal any potential vulnerabilities. Instead, if you'd like to send us a fix, attach a patch file to the issue you open. You'll need to sign our Individual Contributor License Agreement before any patches can be accepted.

Rewards

Rewards range from $100 to $10,000 depending on the type of issue and impact. We prioritize and reward issues based on the real-world impact to our software and systems as operated by Square. The values below represent upper bounds and rewards may vary in practice.

Reward Range

Last updated 10 Oct 2018 21:10:00 UTC

Technical severity | Reward range
---|---
p1 Critical | $1,000 - $10,000
p2 Severe | $750 - $750
p3 Moderate | $500 - $500
p4 Low | $100 - $100

P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name | Type
---|---
<https://github.com/square/git-fastclone> | Other
<https://github.com/square/go-jose> | Other
<https://github.com/square/js-jose> | Other
<https://github.com/square/keywhiz> | Other
<https://github.com/square/keywhiz-fs> | Other
<https://github.com/square/keysync> | Other
<https://github.com/square/okhttp> | Other
<https://github.com/square/okio> | Other
<https://github.com/square/pam_krb_cache> | Other
<https://github.com/square/ghostunnel> | Other
<https://github.com/square/rails-auth> | Other
<https://github.com/square/retrofit> | Other
<https://github.com/square/squalor> | Other
<https://github.com/square/sudo_pair> | Other
<https://github.com/square/valet> | Other
<https://github.com/square/wire> | Other

Target information

Projects which are hosted in Square's GitHub organization and which contain a BUG-BOUNTY.md file in the root directory are in scope. Note that we only reward issues found in the latest master branch or release of a project. Outdated releases, development branches, pull requests, or similar are excluded from the bounty.

Currently, the projects in scope are:

• git-fastclone: It's git clone --recursive on steroids
• Go-JOSE: Go library to encrypt/decrypt data in JOSE formats
• js-JOSE: JavaScript library to encrypt/decrypt data in JOSE formats
• Keywhiz: A system for distributing and managing secrets
• KeywhizFs: A FUSE module/filesystem for Keywhiz
• KeySync: Keysync periodically downloads secrets from Keywhiz
• OkHttp: An HTTP+HTTP/2 client for Android and Java applications
• Okio: A modern I/O API for Java
• pam_krb_cache: PAM module for ksu style Kerberos authentication in sudo
• ghostunnel: Simple SSL/TLS proxy with mutual authentication for securing non-TLS services
• rails-auth: Modular resource-based authentication and authorization for Rails/Rack
• Retrofit: Type-safe HTTP client for Android and Java
• Squalor: Go SQL utility library
• sudo_pair: sudo plugin that requires another human to approve and monitor privileged sudo sessions
• Valet: Securely store data in the iOS, tvOS, or macOS Keychain
• Wire: Clean, lightweight protocol buffers for Android and Java

OpenPGP key

If you have data that you feel is particularly sensitive and would like to encrypt before sending it to our bug bounty, please use the following OpenPGP key for encryption:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQENBFQKLngBCADIGP81CNlJK9AvC2aZI0fQU8Zq6i48Gj1KsV1HtSlvfTs1HDzD
VxOWSKAuof/K3fKAYzIUYis8l39gCnwIB1ozlseZz3cPkjnvlMc0wRTZ4fohyIxP
d4hs6atxAImUiQHErM1OI9UmXA1DX2lH3hz3w3wD0qBY/1c+qp/Tju0BZHLonion
C9n7AHv78Z3Fg1F/4xLAn0V7JMS7BSK0fp5s/hTHa3ZHYBsL/To7mZ9lmqx5XEiW
GXBMbqHQoBwK2ETywQMreuDIqn+HowkLJhMcW3ir+iKZfE3Z3HwP+v/RcyZvND0c
eKadqm0rd2INpH02nZeAC68Ac1o4D+GWaDoxABEBAAG0JVNxdWFyZSBJbmZvc2Vj
IDxpbmZvc2VjQHNxdWFyZXVwLmNvbT6JAT0EEwEIACcFAlQKLngCGwMFCRLMAwAF
CwkIBwMFFQoJCAsFFgMCAQACHgECF4AACgkQrhC6tawqxoqj0gf9EpM2UtkT6Vwa
/R7XzF6kn5LWKRUCY2Cqq2pKdC4aEsgE1TJfEWaz4VM2QuladYbdywRde8cauD2g
cABvebngzL70M8OeLkIRxNcmQUvuUY08dNjJcKAaAiIdVtVHat9u5fxo2vl+NbYM
09G04+8lfg8SoB+1P6Jb7Ia8OSW5o6SCtp2MJ7nXaqEOdEvXPRCHqhiifeOqq94j
pVe1DlTxHLZT+alhemB8Ax9NlyV7FU5i06890ZIaBBWUfKF5ZUAqUy9Juh/35U4a
bVqNy8jAS3OPkGEZjHcJj9dQAlgXrvxe+sqsSyUvJgByOSjV0dhHbO6Xgobc/EPB
xWKl7ECIrrkBDQRUCi54AQgAqI4ImtjxoCdM9RwCkHaoUjZPtVmVQah6/8W/DAm9
Gi3TFuQVWahq5FRMahGZ4HfhjJyY9X0STS04jRNjcRZVgD98wvoRyBfnuognRaS7
/vIwYRPwnJ5ipWkC9La0uivn+wmQYO1p3Lq5ZoH9RaxgGIpytZ7hTMK9zfXqJ899
HUXYhF7zOUdcMzHMukpybR7yiZTRpsbl8JoQtZ8aB8JQ0ML4ca0/7syqoH8F3aVV
MvYEnlGY1iy8npLzVUCDStLJxQ7290kSED8t0v0YNhOtkg7/bZEdNcB56bVJ6uTu
3j/ETuLwJN62dRInDSYfhGAewvg3QfrirGJfesYYuKBn4QARAQABiQElBBgBCAAP
BQJUCi54AhsgBQkSzAMAAAoJEK4QurWsKsaKnFUH/jMnMIEfuen/NQa3cVyburgj
Xai9KTyqjIQeXS2tnYWqNE5WfR/CSkJ4dJ6A4vsd4xacbQRw+feJkOOUUqUR6ZjM
CuUMN4k4DwAom7NKobLs+35Iam6ODgJIhQG/5zCvrtIbuKvoEVHfxY59LqIFB4tI
bclvS7mKQKkAGa7aVm6/ZqtSU5oV/ZqM2kawtE4vA3Yy0Woax9sqe9U3kD4mFUY+
f/GNmvtiUR/wddpUuTGY5gxitsYZB68zIlTd9UDmX3q2jqgF1ZdhacTKo95Aluy3
49+SyjPZcvCZyJhgiHBhWN2VbHuKDJYhmiaVN7Iyswzj6WWf/jUVrM1u0gJVY2C5
AQ0EVAoueAEIALWhKlYA3CZXnbgnI9CA2qZ5wq3wo5SeokHUpoJ1SF3wKXkhfrrK
Qg+3/CIcc6d0nVoiMEdB51XH5Ahse647bA93urz0IWMagR24JzYx7sXToBZ2jrdX
4/0Stp+GbhMRCRuK8ml2m46Vi+vhs3YkDmP+qpruyo5XLSRlTYYJKOVCqi75a84h
b9dZM7BGjPuyuuDS9wq1uq+G8mwfg5G5fIilVPxOuXJmsZqANfYZdatL4pCkudBn
EtHeJGVqcQLoeUCSyb7O5BEXvMp43P6N1Y9Q5tQlaXUwoF8R2Ni30/Rl4gzSDgzg
VB4MSZdDZLWn6ymDJOt+Mv+BVkyfa2QqGP8AEQEAAYkBJQQYAQgADwUCVAoueAIb
DAUJEswDAAAKCRCuELq1rCrGilqBCADD9T/5g3eQKSHHSbhbIjvACSqnIshc+EYS
o5U6DXEbdoqE9tad8enEJiuR2N+8X3DwvGLr+quX+tqHX7/FPnqp3kEU793uH4q6
7gdyqa4/RGMM3IjBktRrvW+UHHkXZf0VqBalsfDcC+bXxWljUzByDScOw5hsJuRM
3dRZdWHHrl2wIIAid+97Om73sLn1tm/2oq03aSbRmhRfOLjXF/QEErRipzFqI/kG
GzYX1BpwDCPDVIzjTN+eFUcsv/OwBy2EYayOzVmG/WjoO5EGt83eG+/JeLn6+GRy
6Lv8d1oHPpOq5dv9M80nhQ2s9C5o17WMcbUcZMKx95txnN/r09yb
=ptIx
-----END PGP PUBLIC KEY BLOCK-----

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.