Square Open Source

Rewarding security bugs in our open source projects

Square recognizes the important contributions the security research community can make. Part of keeping Square's customers safe is making sure that we find and fix any security issues in our open source projects. If you find any vulnerabilities in any of our participating open source projects, send us a report. Even better, send us a fix!

Note that this program is to report issues in our open source projects. If you believe you have discovered a security vulnerability in one of Square's domains (squareup.com, square.com, or cash.me) or mobile applications (Square Point of Sale, Square Cash App), please report them to our other Square bug bounty program.

Attributes of a good report

Detailed explanation & proof-of-concept for the bug
Include specific source code references for the issue from our GitHub
Include repository, release version, branch and other information
Describe the real-world impact/exploitability of the bug

Ineligible reports

Issues related to software not under our control (such as external dependencies) are not eligible for a reward.
Most of our open source development is publicly visible. Reports related to an issue being fixed in a branch or being tracked in a public way will therefore not be eligible for a bounty.
Reports of issues without a proof-of-concept or clear path to exploitation. You may still report these, but will not be eligible for a monetary reward.
Issues which can only be reproduced on specific combinations of hardware or software not used by Square.

How to send a fix

Please do not open a pull request or GitHub ticket to fix an issue you're reporting. This would unnecessarily reveal any potential vulnerabilities. Instead, if you'd like to send us a fix, attach a patch file to the issue you open. You'll need to sign our Individual Contributor License Agreement before any patches can be accepted.

Rewards

Rewards range from $100 to $10,000 depending on the type of issue and impact. We prioritize and reward issues based on the real-world impact to our software and systems as operated by Square. The values below represent upper bounds and rewards may vary in practice.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

In Scope

Scope Type	Scope Name
web_application	https://github.com/square/git-fastclone
web_application	https://github.com/square/go-jose
web_application	https://github.com/square/js-jose
web_application	https://github.com/square/keywhiz
web_application	https://github.com/square/keywhiz-fs
web_application	https://github.com/square/keysync
web_application	https://github.com/square/okhttp
web_application	https://github.com/square/okio
web_application	https://github.com/square/pam_krb_cache
web_application	https://github.com/square/ghostunnel
web_application	https://github.com/square/rails-auth
web_application	https://github.com/square/retrofit
web_application	https://github.com/square/squalor
web_application	https://github.com/square/sudo_pair
web_application	https://github.com/square/valet
web_application	https://github.com/square/wire

On this program you get up to 10000 $ for the most critical vulnerability.