Our team of dedicated security professionals works vigilantly to help keep customer information secure. We recognize the important role that security researchers and our user community play in helping to keep PayPal and our customers secure. If you discover a site or product vulnerability please notify us using the guidelines below.
Please note that your participation in the Bug Bounty Program is voluntary and subject to the terms and conditions set forth on this page (“Program Terms”). By submitting a site or product vulnerability to PayPal, Inc. (“PayPal”) you acknowledge that you have read and agreed to these Program Terms.
These Program Terms supplement the terms of PayPal User Agreement, the PayPal Acceptable Use Policy, and any other agreement in which you have entered with PayPal (collectively “PayPal Agreements”). The terms of those PayPal Agreements will apply to your use of, and participation in, the Bug Bounty Program as if fully set forth herein. If any inconsistency exists between the terms of the PayPal Agreements and these Program Terms, these Program Terms will control, but only with regard to the Bug Bounty Program.
To encourage responsible disclosures, PayPal commits that, if we conclude, in our sole discretion, that a disclosure respects and meets all the guidelines of these Program Terms and the PayPal Agreements, PayPal will not bring a private action against you or refer a matter for public inquiry.
As part of your research, do not modify any files or data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.
PayPal will make a best effort to adhere to the following response targets:
Type of Response | Business days
First Response | 2 days
Time to Triage | 10 days
Time to Bounty | 14 days
Time to Resolution | depends on severity and complexity
To be eligible for the Bug Bounty Program, you must not:
If PayPal discovers that you meet any of the criteria above, PayPal will remove you from the Bug Bounty Program and disqualify you from receiving any Bounty Payments.
By providing a Submission or agreeing to the Program Terms, You agree that you may not publicly disclose your findings or the contents of your Submission to any third parties in any way without PayPal’s prior written approval.
Failure to comply with the Program Terms will result in immediate disqualification from the Bug Bounty Program and ineligibility for receiving any Bounty Payments.
Accepted, in-scope vulnerabilities include, but are not limited to:
Certain vulnerabilities are considered out-of-scope for the Bug Bounty Program. Those out-of-scope vulnerabilities include, but are not limited to:
In addition to in-scope items mentioned above, some additional vulnerability types will be considered in-scope for mobile applications. These include:
Certain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.
The following mobile vulnerabilities are out-of-scope and will not be accepted:
For all submissions, please include:
Failure to meet the below conditions and requirements could result in a forfeiture of any potential Bounty Payment.
You may be eligible to receive a monetary reward (“Bounty Payment”) if: (i)
you are the first person to submit a site or product vulnerability; (ii) that
vulnerability is determined to by a valid security issue by PayPal’s security
team; and (iii) you have complied with all Program Terms.
Bounty Payments, if any, will be determined by PayPal, in PayPal’s sole discretion. In no event shall PayPal be obligated to pay you a bounty for any Submission. All Bounty Payments shall be considered gratuitous.
All Bounty Payments will be made in United States dollars (USD). You will be responsible for any tax implications related to Bounty Payments you receive, as determined by the laws of your jurisdiction of residence or citizenship.
PayPal will determine all Bounty Payments based on the risk and impact of the vulnerability. The minimum bounty amount for a validated bug submission is $50 USD and the maximum bounty for a validated bug submission is $30,000 USD.
PayPal Bug Bounty Team retains the right to determine if the bug submitted to the Bug Bounty Program is eligible. All determinations as to the amount of a bounty made by the PayPal Bug Bounty Team are final. Bounty Payment ranges are based on the classification and sensitivity of the data impacted, ease of exploit and overall risk to PayPal customers, PayPal brand and determined to be a valid security issue by PayPal’s security engineers.
As a condition of participation in the PayPal Bug Bounty Program, you hereby
grant PayPal, its subsidiaries, affiliates and customers a perpetual,
irrevocable, worldwide, royalty-free, transferrable, sublicensable (through
multiple tiers) and non-exclusive license to use, reproduce, adapt, modify,
publish, distribute, publicly perform, create derivative work from, make, use,
sell, offer for sale and import the Submission, as well as any materials
submitted to PayPal in connection therewith, for any purpose. You should not
send us any Submission that you do not wish to license to us.
You hereby represent and warrant that the Submission is original to you and you own all right, title and interest in and to the Submission. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the Submission to PayPal. In no event shall PayPal be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials which are competitive with those set forth in the Submission irrespective of their similarity to the information in the Submission, so long as PayPal complies with the terms of participation stated herein.
In the event (i) you breach any of these Program Terms or the terms and conditions of the PayPal Agreements; or (ii) PayPal determines, in its sole discretion that your continued participation in the Bug Bounty Program could adversely impact PayPal (including, but not limited to, presenting any threat to PayPal’s systems, security, finances and/or reputation) PayPal may immediately terminate your participation in the Bug Bounty Program and disqualify you from receiving any Bounty Payments. Please see our recommendations on the proper procedures for testing our applications.
Any information you receive or collect about PayPal or any PayPal user through the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the PayPal sites, without PayPal’s prior written consent.
In addition to any indemnification obligations you may have under the PayPal Agreements, you agree to defend, indemnify and hold PayPal, its subsidiaries, affiliates and the officers, directors, agents, joint ventures, employees and suppliers of PayPal, its subsidiaries, or our affiliates, harmless from any claim or demand (including attorneys’ fees) made or incurred by any third party due to or arising out of your Submissions, your breach of these Program Terms and/or your improper use of the Bug Bounty Program.
The Bug Bounty Program, including its policies, is subject to change or cancellation by PayPal at any time, without notice. As such, PayPal may amend these Program Terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the Bug Bounty Program after PayPal posts any such changes, you accept the Program Terms, as modified.
Contact us if you want more information.