Square recognizes the important contributions the security research community can make. Part of keeping Square's customers safe is making sure that we find and fix any security issues in our open source projects. If you find any vulnerabilities in any of our participating open source projects, send us a report. Even better, send us a fix!
Note that this program is to report issues in our open source projects. If you believe you have discovered a security vulnerability in one of Square's domains (squareup.com, square.com, or cash.me) or mobile applications (Square Point of Sale, Square Cash App), please report them to our other Square bug bounty program.
Please do not open a pull request or GitHub ticket to fix an issue you're reporting. This would unnecessarily reveal any potential vulnerabilities. Instead, if you'd like to send us a fix, attach a patch file to the issue you open. You'll need to sign our Individual Contributor License Agreement before any patches can be accepted.
Rewards range from $100 to $10,000 depending on the type of issue and impact. We prioritize and reward issues based on the real-world impact to our software and systems as operated by Square. The values below represent upper bounds and rewards may vary in practice.
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
Scope Type | Scope Name |
---|---|
web_application | https://github.com/square/git-fastclone |
web_application | https://github.com/square/go-jose |
web_application | https://github.com/square/js-jose |
web_application | https://github.com/square/keywhiz |
web_application | https://github.com/square/keywhiz-fs |
web_application | https://github.com/square/keysync |
web_application | https://github.com/square/okhttp |
web_application | https://github.com/square/okio |
web_application | https://github.com/square/pam_krb_cache |
web_application | https://github.com/square/ghostunnel |
web_application | https://github.com/square/rails-auth |
web_application | https://github.com/square/retrofit |
web_application | https://github.com/square/squalor |
web_application | https://github.com/square/sudo_pair |
web_application | https://github.com/square/valet |
web_application | https://github.com/square/wire |
On this program you get up to 10000 $ for the most critical vulnerability.
FireBounty © 2015-2024