Bug Bounty Programme



Program Terms

Please note that your participation in the Bug Bounty Programme is voluntary and subject to the terms and conditions set forth on this page. By submitting a website or product vulnerability to Paysera, you acknowledge that you have read and agreed to these Programme Terms.
These Programme Terms supplement the terms of any other agreement in which you have entered with Paysera. If there is any inconsistency between the terms of the Paysera Agreements and these Programme Terms, these Programme Terms will control, but only with regard to the Bug Bounty Programme.

Security issue reporting guidelines

If you think you have found a security vulnerability in Paysera, please report it to us by email to [email protected]. Please include detailed steps to reproduce the bug and a brief description of what the impact is. We encourage responsible disclosure (as described below), and we promise to investigate all legitimate reports in a timely manner and fix any issues as soon as we can.

Services in scope

Any Paysera service that handles reasonably sensitive user data is intended to be in scope. This includes virtually all the content in the following domains: *.paysera.com

Responsible Disclosure Policy



Security of user funds, data and communication is of highest priority to Paysera. In order to encourage responsible disclosure, we will not pursue legal actions against the researchers who point out the problem provided they follow principles of responsible disclosure which include, but are not limited to:

  • Only access, disclose, or modify your own customer data.
  • Do not perform any attack that could harm the reliability or integrity of our services or data.
  • Avoid scanning techniques that are likely to cause degradation of service to other customers. (DoS, spamming).
  • Always keep details of vulnerabilities secret until Paysera has been notified and fixed the issue.
  • Do not attempt to gain access to another user’s account or data.

In researching vulnerabilities on the website of Paysera, you must not be engaged into the following:

  • Results in degradation of Paysera systems.
  • Results in you, or any third party, accessing, storing, sharing or destroying data of Paysera or customers.
  • Activities that may impact Paysera clients, such as denial of service, social engineering or spam.

We may suspend your account and ban your IP, if you do not respect these principles.

We ask you to be available to follow along and provide further information on the bug, and invite you to work together with Paysera developers in reproducing, diagnosing, and fixing the bug. We use the following guidelines to determine the eligibility of requests and the amount of reward.

#

Eligibility



#
To be eligible for the Bug Bounty Programme, you must not:
  • Be in violation of any national, state, or local law or regulation.
  • Be an immediate family member of a person employed by Paysera, or its subsidiaries or affiliates.
  • Be less than 14 years of age. If you are at least 14 years old, but are considered a minor in your place of residence, you must get a permission signed by your parents or legal guardians prior to participating in the program.
If Paysera discovers that you do not meet any of the criteria above, Paysera will remove you from the Bug Bounty Programme and disqualify you from receiving any bounty payments.

Amount of Reward



More severe bugs will be met with greater rewards. Any bug which has the potential for financial loss or data breach is of sufficient severity.
In general, vulnerabilities that maybe rewarded less are those that do not cause one or several of the following results:
  • Partial/complete loss of funds.
  • User information leak.
  • Loss of accuracy of exchange data.

In order to receive bounty:
  • Security bug must be original and previously unreported.
  • Security bug must be a remote exploit, the cause of a privilege escalation, or an information leak.

If two or more people report the bug together the reward will be divided among them.
Here are some examples how to receive a higher reward:
  • The researcher can demonstrate new classes of attacks, or techniques for bypassing security features. Or, if an existing vulnerability can be demonstrated to be exploitable though additional research by the reporter, additional compensation can be earned for the same bug.
  • Research might also uncover extremely severe, complex, or interesting problem areas that were previously unreported or unknown issues.

Bounty payments, if any, will be determined by Paysera, in Paysera’s sole discretion. In no event shall Paysera be obligated to pay you a bounty for any Submission. All bounty payments can be made only in euro to an identified Paysera account. The reward may also be transferred to Greenpeace, the Red Cross or Caritas organizations. Paysera does not pay bounties in cryptocurrencies or to other payment systems, which are not mentioned on this page.
In determining the amount of payout, Paysera will take into account the level of risk and impact of the vulnerability.

#

Examples of Vulnerabilities



Examples of Qualifying Vulnerabilities
Paysera reserves the right to decide if the minimum severity qualification threshold is met and whether it was already reported.
  • Authentication bypass or privilege escalation.
  • Clickjacking.
  • Cross-site scripting (XSS).
  • Cross-site request forgery (CSRF/XSRF).
  • Mixed-content scripts.
  • Server-side code execution.
  • User data breach.
  • Remote Code Execution.
Examples of Non-Qualifying Vulnerabilities
Reporting the following vulnerabilities is appreciated but will not lead to systematic reward from Paysera.
  • Denial of Service vulnerabilities (DoS).
  • Possibilities to send malicious links to people you know.
  • Security bugs in third-party websites that integrate with Paysera API.
  • Vulnerabilities related to 3rd-party software (e.g. Java, plugins, extensions) or website unless they lead to vulnerability on Paysera website.
  • Spam (including issues related to SPF/DKIM/DMARC).
  • Usability issues, forms autocomplete.
  • Insecure settings in non-sensitive cookies.
  • Browser Cache vulnerabilities.
  • Vulnerabilities (including XSS) that require a potential victim to install non-standard software or otherwise take very unlikely active steps to make themselves be susceptible.
  • Non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • Vulnerabilities (including XSS) that affect only legacy browser / plugins.
  • Self-XSS.
  • CSRF for non-significant actions (logout, etc.).
  • Clickjacking attacks without a documented series of clicks that produce a vulnerability.
  • Content injection, such as reflected text or HTML tags.
  • Missing HTTP headers, except as where their absence fails to mitigate an existing attack.
  • Authentication bypasses that require access to software / hardware tokens.
  • Vulnerabilities that require access to passwords, tokens, or the local system (e.g. session fixation).
  • Assumed vulnerabilities based upon version numbers only.
  • Bugs requiring exceedingly unlikely user interaction.
  • Disclosure of public information and information that does not present significant risk.
  • Scripting or other automation and brute forcing of intended functionality.
  • Requests violating same-origin policy without concrete attack scenario (for example, when using CORS, and cookies are not used in performing authentication or they are not sent with requests).

Required Information



#
For all submissions, please include:
  • Full description of the vulnerability being reported including the exploitability and impact.
  • Document all steps required to reproduce the exploit of the vulnerability.
  • URL(s)/application(s) affected in the submission (even if you provided us a code snippet/video as well).
  • IPs that were used while testing.
  • Always include the user ID that is used for the POC.
  • Always include all of the files that you attempted to upload.
  • Provide the complete PoC for your submission.
  • Please save all the attack logs and attach them to the submission.

Failure to include any of the above items may delay or jeopardize the bounty payment.
Report it to us by emailing [email protected].


We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan, Syria) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.

This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time.

Frequently Asked Questions



What if I found a vulnerability, but I don't know how to exploit it?
We expect that vulnerability reports sent to us have a valid attack scenario to qualify for a reward, and we consider it as a critical step when doing vulnerability research. Reward amounts are decided based on the maximum impact of the vulnerability, and the panel is willing to reconsider a reward amount, based on new information (such as a chain of bugs, or a revised attack scenario).
How do I demonstrate the severity of the bug if I’m not supposed to snoop around?
Please submit your report as soon as you have discovered a potential security issue. The panel will consider the maximum impact and will choose the reward accordingly. We routinely pay higher rewards for otherwise well-written and useful submissions where the reporter didn't notice or couldn't fully analyze the impact of a particular flaw.