Security Bounty
BlueSnap Security Bounty Program
BlueSnap works vigilantly to help keep our customers’ data secure. We recognize the important role that security researchers and our user community play towards that goal, and for that, we created a bounty program.
If you believe you have found a security vulnerability on BlueSnap, we encourage you to let us know right away via the email address below. We will investigate all legitimate reports and do our best to quickly mitigate the vulnerability.
E-mail us at [email protected]
We determine bounty eligibility at our sole discretion based on a variety of factors, including (but not limited to) impact, risk, data exposure, ease of exploitation, and quality of the report. Our bounty awards vary by the classification of the issue. We typically pay:
- No award for Low Severity issues
- $100 for Medium
- $250 for High
- $500+ for Critical
In the event of duplicate reports, we award a bounty to the first person to submit an issue meeting the eligibility requirements. Note that vulnerabilities reported in 3rd party systems/services are not eligible under our bug bounty program although we encourage you to report them.
Rules
Rules For You:
- Don’t maliciously attempt to leverage the reported vulnerability
- Don’t perform any attack that could harm the reliability/integrity of our services or data
- Don’t publicly disclose a security vulnerability before it has been fixed
- You cannot be a BlueSnap employee or a contractor employed by BlueSnap
Rules for Us:
- We will respond as quickly as possible to your submission
- We will pay the eligible bounty upon validation of the vulnerability by our security team
- We will keep you updated as we work to mitigate the vulnerability you submitted
Scope
The following sites and applications are in scope for the bounty program:
- https://sandbox.bluesnap.com/jsp/developer_login.jsp – Payments Services. You can create a BlueSnap test account using this link: https://sandbox.bluesnap.com/jsp/onboarding/
- https://app.armatic.com/signin/ – Accounts Receivable Services. You can click on “signup” to create an account
We reserve the right to modify or terminate this program and will publish notices to that effect on our website.