Square recognizes the important contributions the security research community can make. Part of keeping Square's customers safe is making sure that we find and fix any security issues in our open source projects. If you find any vulnerabilities in any of our participating open source projects, send us a report. Even better, send us a fix!
Note that this program is to report issues in our open source projects. If you believe you have discovered a security vulnerability in one of Square's domains (squareup.com, square.com, or cash.me) or mobile applications (Square Point of Sale, Square Cash App), please report them to our other Square bug bounty program.
Please do not open a pull request or GitHub ticket to fix an issue you're reporting. This would unnecessarily reveal any potential vulnerabilities. Instead, if you'd like to send us a fix, attach a patch file to the issue you open. You'll need to sign our Individual Contributor License Agreement before any patches can be accepted.
Rewards range from $100 to $10,000 depending on the type of issue and impact. We prioritize and reward issues based on the real-world impact to our software and systems as operated by Square. The values below represent upper bounds and rewards may vary in practice.
Last updated 10 Oct 2018 21:10:00 UTC
Technical severity | Reward range
---|---
p1 Critical | $1,000 - $10,000
p2 Severe | $750 - $750
p3 Moderate | $500 - $500
p4 Low | $100 - $100
P5 submissions do not receive any rewards for this program.
Target name | Type
---|---
<https://github.com/square/git-fastclone>
| Other
<https://github.com/square/go-jose>
| Other
<https://github.com/square/js-jose>
| Other
<https://github.com/square/keywhiz>
| Other
<https://github.com/square/keywhiz-fs>
| Other
<https://github.com/square/keysync>
| Other
<https://github.com/square/okhttp>
| Other
<https://github.com/square/okio>
| Other
<https://github.com/square/pam_krb_cache>
| Other
<https://github.com/square/ghostunnel>
| Other
<https://github.com/square/rails-auth>
| Other
<https://github.com/square/retrofit>
| Other
<https://github.com/square/squalor>
| Other
<https://github.com/square/sudo_pair>
| Other
<https://github.com/square/valet>
| Other
<https://github.com/square/wire>
| Other
Projects which are hosted in Square's GitHub
organization and which contain a BUG-BOUNTY.md
file in the root directory are in scope. Note that we only reward issues found
in the latest master branch or release of a project. Outdated releases,
development branches, pull requests, or similar are excluded from the bounty.
Currently, the projects in scope are:
If you have data that you feel is particularly sensitive and would like to encrypt before sending it to our bug bounty, please use the following OpenPGP key for encryption:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2
mQENBFQKLngBCADIGP81CNlJK9AvC2aZI0fQU8Zq6i48Gj1KsV1HtSlvfTs1HDzD
VxOWSKAuof/K3fKAYzIUYis8l39gCnwIB1ozlseZz3cPkjnvlMc0wRTZ4fohyIxP
d4hs6atxAImUiQHErM1OI9UmXA1DX2lH3hz3w3wD0qBY/1c+qp/Tju0BZHLonion
C9n7AHv78Z3Fg1F/4xLAn0V7JMS7BSK0fp5s/hTHa3ZHYBsL/To7mZ9lmqx5XEiW
GXBMbqHQoBwK2ETywQMreuDIqn+HowkLJhMcW3ir+iKZfE3Z3HwP+v/RcyZvND0c
eKadqm0rd2INpH02nZeAC68Ac1o4D+GWaDoxABEBAAG0JVNxdWFyZSBJbmZvc2Vj
IDxpbmZvc2VjQHNxdWFyZXVwLmNvbT6JAT0EEwEIACcFAlQKLngCGwMFCRLMAwAF
CwkIBwMFFQoJCAsFFgMCAQACHgECF4AACgkQrhC6tawqxoqj0gf9EpM2UtkT6Vwa
/R7XzF6kn5LWKRUCY2Cqq2pKdC4aEsgE1TJfEWaz4VM2QuladYbdywRde8cauD2g
cABvebngzL70M8OeLkIRxNcmQUvuUY08dNjJcKAaAiIdVtVHat9u5fxo2vl+NbYM
09G04+8lfg8SoB+1P6Jb7Ia8OSW5o6SCtp2MJ7nXaqEOdEvXPRCHqhiifeOqq94j
pVe1DlTxHLZT+alhemB8Ax9NlyV7FU5i06890ZIaBBWUfKF5ZUAqUy9Juh/35U4a
bVqNy8jAS3OPkGEZjHcJj9dQAlgXrvxe+sqsSyUvJgByOSjV0dhHbO6Xgobc/EPB
xWKl7ECIrrkBDQRUCi54AQgAqI4ImtjxoCdM9RwCkHaoUjZPtVmVQah6/8W/DAm9
Gi3TFuQVWahq5FRMahGZ4HfhjJyY9X0STS04jRNjcRZVgD98wvoRyBfnuognRaS7
/vIwYRPwnJ5ipWkC9La0uivn+wmQYO1p3Lq5ZoH9RaxgGIpytZ7hTMK9zfXqJ899
HUXYhF7zOUdcMzHMukpybR7yiZTRpsbl8JoQtZ8aB8JQ0ML4ca0/7syqoH8F3aVV
MvYEnlGY1iy8npLzVUCDStLJxQ7290kSED8t0v0YNhOtkg7/bZEdNcB56bVJ6uTu
3j/ETuLwJN62dRInDSYfhGAewvg3QfrirGJfesYYuKBn4QARAQABiQElBBgBCAAP
BQJUCi54AhsgBQkSzAMAAAoJEK4QurWsKsaKnFUH/jMnMIEfuen/NQa3cVyburgj
Xai9KTyqjIQeXS2tnYWqNE5WfR/CSkJ4dJ6A4vsd4xacbQRw+feJkOOUUqUR6ZjM
CuUMN4k4DwAom7NKobLs+35Iam6ODgJIhQG/5zCvrtIbuKvoEVHfxY59LqIFB4tI
bclvS7mKQKkAGa7aVm6/ZqtSU5oV/ZqM2kawtE4vA3Yy0Woax9sqe9U3kD4mFUY+
f/GNmvtiUR/wddpUuTGY5gxitsYZB68zIlTd9UDmX3q2jqgF1ZdhacTKo95Aluy3
49+SyjPZcvCZyJhgiHBhWN2VbHuKDJYhmiaVN7Iyswzj6WWf/jUVrM1u0gJVY2C5
AQ0EVAoueAEIALWhKlYA3CZXnbgnI9CA2qZ5wq3wo5SeokHUpoJ1SF3wKXkhfrrK
Qg+3/CIcc6d0nVoiMEdB51XH5Ahse647bA93urz0IWMagR24JzYx7sXToBZ2jrdX
4/0Stp+GbhMRCRuK8ml2m46Vi+vhs3YkDmP+qpruyo5XLSRlTYYJKOVCqi75a84h
b9dZM7BGjPuyuuDS9wq1uq+G8mwfg5G5fIilVPxOuXJmsZqANfYZdatL4pCkudBn
EtHeJGVqcQLoeUCSyb7O5BEXvMp43P6N1Y9Q5tQlaXUwoF8R2Ni30/Rl4gzSDgzg
VB4MSZdDZLWn6ymDJOt+Mv+BVkyfa2QqGP8AEQEAAYkBJQQYAQgADwUCVAoueAIb
DAUJEswDAAAKCRCuELq1rCrGilqBCADD9T/5g3eQKSHHSbhbIjvACSqnIshc+EYS
o5U6DXEbdoqE9tad8enEJiuR2N+8X3DwvGLr+quX+tqHX7/FPnqp3kEU793uH4q6
7gdyqa4/RGMM3IjBktRrvW+UHHkXZf0VqBalsfDcC+bXxWljUzByDScOw5hsJuRM
3dRZdWHHrl2wIIAid+97Om73sLn1tm/2oq03aSbRmhRfOLjXF/QEErRipzFqI/kG
GzYX1BpwDCPDVIzjTN+eFUcsv/OwBy2EYayOzVmG/WjoO5EGt83eG+/JeLn6+GRy
6Lv8d1oHPpOq5dv9M80nhQ2s9C5o17WMcbUcZMKx95txnN/r09yb
=ptIx
-----END PGP PUBLIC KEY BLOCK-----
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
Scope Type | Scope Name |
---|---|
other | https://github.com/square/git-fastclone |
other | https://github.com/square/go-jose |
other | https://github.com/square/js-jose |
other | https://github.com/square/keywhiz |
other | https://github.com/square/keywhiz-fs |
other | https://github.com/square/keysync |
other | https://github.com/square/okhttp |
other | https://github.com/square/okio |
other | https://github.com/square/pam_krb_cache |
other | https://github.com/square/ghostunnel |
other | https://github.com/square/rails-auth |
other | https://github.com/square/retrofit |
other | https://github.com/square/squalor |
other | https://github.com/square/sudo_pair |
other | https://github.com/square/valet |
other | https://github.com/square/wire |
On this program you get up to 10000 $ for the most critical vulnerability.
FireBounty © 2015-2019