30840 policies in database
Link to program      
Square Open Source logo


500 $ 

Square Open Source

Rewarding security bugs in our open source projects

Square recognizes the important contributions the security research community can make. Part of keeping Square's customers safe is making sure that we find and fix any security issues in our open source projects. If you find any vulnerabilities in any of our participating open source projects, send us a report. Even better, send us a fix!

Note: this program is to report issues in our open source projects. If you believe you have discovered a security vulnerability in one of Square's domains (squareup.com __, square.com __, or cash.me __), please report them at<https://hackerone.com/square>.

Attributes of a good report

  • Detailed explanation of the bug.
  • Include specific source code references when possible. You should at least list which project you are referring to.
  • Please include a proof-of-concept of the issue you're reporting.
  • Describe the versions of all relevant components of the issue (e.g. browser, operating system, mobile app version, etc.).

How to send a fix

Please do not open a pull request to fix an issue you're reporting. This would unnecessarily reveal any potential vulnerabilities. Instead, if you'd like to send us a fix, attach a patch file to the issue you open. You'll need to sign our Individual Contributor License Agreement __before any patches can be accepted.


Projects which are hosted at https://github.com/square/ __, which contain aBUG-BOUNTY.md file in the root directory, and only the latest code in the master branch. Currently, the projects in scope are:

Ineligible reports

  • Issues related to software not under our control. Issues in underlying libraries used by our open source projects are not eligible for a reward. You are more than welcome to report them and we will follow up to try to get things fixed.
  • Most of our open source development is publicly visible. Reports related to an issue being fixed in a branch or being tracked in a public way will therefore not be eligible for a bounty.
  • Reports of issues without a proof-of-concept or clear path to exploitation.
  • Issues which can only be reproduced on specific combinations of hardware or software not used by Square.

This program have been found on Hackerone on 2015-05-11.

FireBounty © 2015-2022

Legal notices | Privacy