Global Payments

Have feedback on our program? Let us know here!

#Global Payments Vulnerability Disclosure Program (“VDP”) Policy

Global Payments is a Fortune 500 worldwide commerce ecosystem serving customers in over 100 countries! We have a team of 24,000 experts and innovators working to serve our customers—dedicated to solving complexity in commerce by providing simple, secure payments and software solutions that anticipate changing needs and carry our customers forward. We’re trusted in over 3.5 million customer locations and 1,300 financial institutions.

Global Payments Inc. (“Global Payments”) looks forward to working with the information security community to find vulnerabilities in order to keep our businesses and customers safe. Please read this Program Policy in its entirety.

#Eligibility for Participation

You must be 18 years old or older to submit a vulnerability for consideration as part of the Program. If you are a minor (under 18 years of age), a parent or legal guardian must submit the vulnerability.

You must be an individual security researcher participating in your own individual capacity. If you work for a security research organization, that organization must permit you to participate in your individual capacity. You are responsible for reviewing and complying with your employer’s rules for participating in the Program.

#Ineligibility for Participation

You may not participate in the VDP if you are any of the following: A resident of, or if you have a tax form from, China or Hong Kong.

A resident of any country/region that is the subject of a broad, geographically-defined United States (U.S.) sanctions program, such as Cuba, Iran, North Korea, Sudan, Syria or Crimea, or a person, or an affiliate, agent, employee, or contractor of a person, that is designated in the U.S. Department of the Treasury’s Specially Designated Nationals and Blocked Persons List or any other Office of Foreign Assets Control (“OFAC”) sanctions list.

A resident of any country/region, or a person, or an affiliate, agent, employee, or contractor of a person, that has been sanctioned by the relevant authorities in the country or region from which any data you access through the Program originates, or in which any portion of the information system you access is hosted and/or deployed.

A current employee of Global Payments., a Global Payments affiliate, or an immediate family member (parent, sibling, spouse, or child) or household member of such an employee.

A contingent staff member, contractor, or vendor employee that is currently working with, or has worked in the past twelve (12) months with, Global Payments or a Global Payments affiliate.

#Response Targets

Global Payments will make a best effort to meet the following SLAs for security researchers participating in the program:

We’ll try to keep you informed about our progress throughout the process.

#Scope

Please refer to scoped assets to view current in-scope assets. No VPN access nor credentials will be provided for testing.

#Disclosure Policy

• You agree not to discuss this VDP or any vulnerabilities (even resolved ones) outside of the VDP without express consent from Global Payments.
• Global Payments reserves the right to approve or deny any request for disclosure.
• You agree to follow HackerOne's disclosure guidelines.

#Program Guidelines

• This Program is not intended to encourage any researcher to access, view, transmit, disclose, interact with, or otherwise process Personal Information, defined here to include any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. Personal Information may include, as applicable, any Payment Account Number (PAN), Cardholder Data (CHD), or Sensitive Authentication Data (SAD), as each term is defined by the Payment Card Industry Data Security Standard (PCI-DSS). Should you encounter any Personal Information during your research or in connection with the Program, you are required to: (1) minimize your access to Personal Information, including immediately halting your activity, where possible; (2) comply with the additional data protection obligations set forth in the “Data Protection” section of these Program Terms, below; and (3) return any Personal Information you obtain during your research or in connection with the Program when you submit a report, and securely delete all copies of the Personal Information immediately following the submission of your report.
• Keep scans to 45 requests per minute.
• For account creation, use your HackerOne email address and only create a single user account.
• Refer to the assets in scope for specific instructions on testing and follow those instructions.
• Provide detailed reports with reproducible steps. If the report is not sufficiently detailed to enable reproduction of the issue, the issue may not be triaged.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to prove impact. When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• You may only interact with accounts you own or with explicit permission of the account holder.
• Do not engage in any activity that can potentially or actually cause harm to Global Payments, our customers, or our employees.
• Do not engage in any activity that can potentially or actually stop or degrade Global Payments’ services or assets.
• Do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
• Do not initiate a fraudulent financial transaction.

#Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.

In addition to the below, any vulnerability on the HackerOne Core Ineligible Findings list is out of scope:

• Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof of concept.
• Attacks requiring man-in-the-middle (MITM) or physical access to a user's device.
• Vulnerabilities on partner or supplier products.
• Rate limiting or brute-force issues on non-authentication endpoints.

#Grounds for Disqualification

Because we do not allow any actions that could negatively impact the customer experience on our websites, apps, or other Global Payments assets, attempting any of the following could result in permanent disqualification from the Program and could result in a possible criminal and/or legal investigation:

• Violation of the Participation Requirements
• Disruption or denial-of-service attacks (Application and Network)
• Social engineering attacks
• Brute-force attacks
• Exfiltration of data
• Code injection on live systems
• The compromise or testing of application accounts that are not your own
• Any threats, attempts at coercion, or extortion of Global Payments employees, other partner employees, or customers
• Physical attacks against Global Payments, contractors, or customers
• Any physical attempts against Global Payments property or data centers
• Any other action that violates these Program Terms
• Any other action that violates the law
• Any action that endangers yourself or others
• Aggressive vulnerability scans or automated scans on Global Payments servers (including scans using tools such as Core Impact or Nessus)

#Additional Legal Terms

By submitting security or vulnerability information to Global Payments, you confirm that you have read, understand, and agree to these Program Terms. Further, you agree that by submitting such information to Global Payments, even if the information is not eligible for a reward, you grant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, or create derivative works based upon such information and otherwise exploit such information for any purpose.

Any Global Payments information that you may encounter, view, acquire, or access, is owned by Global Payments or its customers, clients, or third-party providers. You have no rights, title, or ownership in any such information. Nothing in these Program Terms shall be deemed to constitute a grant of any license or other right to or in any Global Payments or third-party product, service, patent, trademark, trade secret, or other intellectual property.

You must comply with all applicable federal, state, local, and international laws, regulations, and rules in connection with your security research activities and your participation in the Program. If you violate any applicable law or any requirement established by these Program Terms, you will not be considered a security researcher, and you may become subject to criminal penalties and civil liability. In particular, by participating in the Program, you confirm your understanding: (1) that applicable United States federal laws make it a felony offense for you to intentionally access an information system that is connected to the internet without authorization, or to exceed the scope of your authorized access to such a system, and in doing so to obtain any information therefrom; and (2) that any action that you take on a Global Payments information system that exceeds the limits established by these Program Terms may therefore constitute a federal crime. Global Payments reserves all rights to pursue all available remedies, civil and criminal, against any individual or entity operating in violation or excess of the Program Terms.

Global Payments retains the right to obtain your Personal Data (as defined in the HackerOne Privacy Policy) from HackerOne, and to process such Personal Data as necessary to accomplish the legitimate business objectives of Global Payments, including but not limited to ensuring the security and integrity of our infrastructure, data, products, and services. Global Payments may also obtain and process your Personal Data for the purpose of exercising or defending legal rights; to take precautions against liability; to protect the rights, property, or safety of Global Payments, of any other individuals, or of the general public; to protect Global Payments and our assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against third-party claims or allegations. By submitting a vulnerability report via the Global Payments Vulnerability Disclosure Program (https://hackerone.com/global-payments) you consent to HackerOne disclosing Personal Data to Global Payments, upon request, in the circumstances described in this paragraph.

Global Payments may modify these Program Terms or terminate the Program at any time.

##Data Protection To the extent you access, or view, transmit, disclose, interact with, or otherwise process Personal Information in connection with the Program, you constitute a Processor and/or Service Provider, as each term is defined by Data Protection Laws. For purposes of these Program Terms, “Data Protection Laws” means all laws and regulations applicable to the processing of Personal Information in connection with the Program, which may include, but may not be not limited to, the California Consumer Privacy Act, as modified by the California Privacy Rights Act of 2020 (“CCPA”) and the General Data Protection Regulation (EU) 2016/679 (“GDPR”). Any capitalized term not defined herein shall have the meaning given to that term in the Data Protection Laws.

Processing Instructions and Details. As a Processor/Service Provider, you shall process Personal Information: (i) only to the extent necessary for participation in the Program; (ii) in compliance with all instructions provided by Global Payments in relation to the processing; and (iii) in accordance with these Program Terms and Data Protection Laws. The categories of Personal Information to which you gain access may include Global Payments team member and customer contact information and any other Personal Information accessed or viewed in connection with the Program. The nature of the processing is solely for the purpose of identifying and submitting a vulnerability through the Program and the duration of processing is limited to the time needed to submit the report. The business purpose and/or lawful basis of the processing is to ensure the security and integrity of our infrastructure, data, products, and services.

Processing Restrictions. You will not: (i) retain, use, disclose or otherwise process Personal Information for any purpose not contemplated by these Program Terms; (ii) retain, use, disclose, or otherwise process Personal Information outside of the direct business relationship between you and Global Payments; (iii) use, distribute, sell, rent, release, or disclose Personal Information to a third party for monetary or other valuable consideration; (iv) combine Personal Information with any other personal information that you receive from, or on behalf of, another person or persons, or collect from your own interaction with a Data Subject; or (v) share Personal Information with any third party for cross-context behavioral advertising, whether or not for monetary or other valuable compensation.

Compliance with Data Protection Laws. You agree that: (i) you shall provide Personal Information with the same level of protection that Global Payments would be required to provide for it; and (ii) you understand the obligations placed upon you by Data Protection Laws. If you determine that you are no longer able to meet your compliance commitments in these Program Terms, you must immediately notify Global Payments in writing.

Sub-Processors. You agree that you will not use any Sub-Processors to process Personal Information without the prior written consent of Global Payments.

Confidentiality and Security. You shall maintain the confidentiality of Personal Information to which you have access and limit such access to what is strictly necessary to participate in the Program. While any Personal Information is in your possession or accessible by you, you shall ensure you have reasonable and appropriate security procedures and practices in place to protect the Personal Information from unauthorized access, destruction, use, modification, or disclosure.

Privacy Incidents. You shall notify Global Payments immediately, and in no event later than within 24 hours, upon becoming aware of a Privacy Incident, and you shall provide full assistance to Global Payments in meeting Global Payments’ obligation(s) with respect to such Privacy Incident under Data Protection Laws. For purposes of these Program Terms, “Privacy Incident” means any act, omission, event or occurrence that compromises the confidentiality, integrity, or availability of Personal Information. For the avoidance of doubt, the term “Privacy Incident” includes, without limitation: (i) any incident involving the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Information; and (ii) any incident involving Personal Information that meets the definition of a “security breach,” “personal data breach,” “breach of the security of the system,” or any other similar term under the Data Protection Laws.

Assistance. You shall provide full assistance to Global Payments to enable Global Payments to meet its obligations(s) to perform any assessments or respond to any requests regarding the processing of Personal Information that are required by Data Protection Laws. You shall promptly provide to Global Payments, upon request, all information necessary to demonstrate your compliance with these Program Terms and Data Protection Laws.

Return and Deletion. You must return any Personal Information you obtain during your research or in connection with the Program when you submit a report, and securely delete all copies of the Personal Information immediately following the submission of your report.

Transfers. You shall not Transfer Personal Information without the prior written consent of Global Payments. For purposes of these Program Terms, “Transfer” means the access by, transfer or delivery to, or disclosure to, a person, entity or system of Personal Information where such person, entity or system is located in a country or jurisdiction other than the country or jurisdiction from which the Personal Information originated. You and Global Payments agree that when a Transfer is subject to the GDPR, the EU Standard Contractual Clauses Module Two (Controller to Processor) or Module Three (Processor to Processor) (found in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council), which are deemed incorporated into and form part of these Program Terms, will apply as follows:

• Global Payments shall be deemed to be the “data exporter” and you shall be deemed the “data importer” with respect to the processing of Personal Information.
• Clause 7 shall not apply.
• The audits described in Clause 8.9 shall be carried out in any manner that Global Payments deems appropriate.
• For Clause 9, Option 1: Specific Prior Authorization shall apply, and the time period for the request for specific authorization shall be 30 days.
• For Clause 11(a), the optional language shall not apply.
• The Data Protection Commissioner of Ireland shall be the competent supervisory authority (Clause 13(a)).
• The EU Standard Contractual Clauses will be governed by the laws of the Republic of Ireland (Clause 17).
• Disputes shall be resolved before the courts of Ireland, County of Dublin (Clause 18).
• The information included in the “Data Protection” section of these Program Terms is incorporated accordingly into Annexes I (A, B and C), II and III of the EU Standard Contractual Clauses.

Transfers subject to the laws of the United Kingdom or the Swiss Confederacy shall be pursuant to the EU Standard Contractual Clauses, as incorporated above, subject to any modifications required by the applicable jurisdiction’s regulatory authority to render those clauses a suitable mechanism for papering an international transfer.

For the avoidance of doubt, nothing about your agreement to comply with the terms set forth in this Data Protection section renders you an agent, employee, or contractor of Global Payments.

##Safe Harbor Any research activities conducted in strict accordance with these Program Guidelines, as determined by Global Payments, will be considered authorized conduct, and we will not initiate legal action against you relating to such research activities.

Thank you for helping keep Global Payments and our users safe!