GoCardless is on a mission to take the pain out of getting paid for businesses with recurring revenue. We’ve created a global bank debit network, to rival credit and debit cards. On top of it, we’ve built a platform designed and optimised for taking invoice, subscription, membership, and instalment payments. Our recurring payments platform integrates with the applications businesses use every day, giving businesses more visibility over payments and saving them huge amounts of time on tasks like payment reconciliation.

GoCardless looks forward to working with the security community to find security vulnerabilities to keep our businesses and customers safe. We really appreciate your help in uncovering any security issues and look forward to your findings.

Disclosure Policy

The policy covers any public-facing website owned, operated, or controlled by GoCardless, including web applications hosted on those sites.

Please do not discuss any vulnerabilities (even resolved ones) outside of the program. We currently do not have a public disclosure policy, so any disclosure requests will be denied.

Response Targets

GoCardless will keep you informed about our progress throughout the process. The bounty is typically paid out when a triaged issue has been remediated or within 30 days of setting the report as triaged.

Rules of Engagement

Your participation in our program is voluntary and subject to the following:

• You must include a working Proof of Concept.
• You must follow HackerOne platform rules.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• You must not threaten or try to extort GoCardless or our customers.
• You must not access, modify, copy, download, delete, compromise, or otherwise misuse others’ data.
• You must not access non-public information without authorization.
• You must not degrade, interrupt, or deny services to our users.
• You must not incur a loss of funds that are not your own.
• You must use your own accounts and not interact with other users’ accounts or data.
• You must use your HackerOne email alias for accounts when conducting research on our platform.
• If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• When duplicate reports occur, only the first report that can be fully reproduced may be eligible for a reward at GoCardless' discretion.
• Chained/Multiple vulnerabilities caused by a single underlying issue are eligible for a single reward at GoCardless' discretion.

Setting up accounts for vulnerability research

You must use a HackerOne email alias account for accounts configured in our environments (e.g., [email protected]). More details on HackerOne aliases: https://docs.hackerone.com/hackers/hacker-email-alias.html Please add "bug bounty" to the company or name field to make the account easily identifiable as belonging to a security researcher.

To get started on the GoCardless platform, we recommend that you review the extensive documentation about the types of accounts that can be set up:

• Getting started with GoCardless
• GoCardless guide for developers
• Partner integration getting started guide
• Schema details
• Role-based access on GoCardless Merchant Dashboard
• Bank Account Data Overview
• Bank Account Data API FAQ
• Bank Account Data Sandbox Data

Scope

The scope has been deliberately loosely defined to encourage a wide range of impactful findings subject to the restrictions set out in the Out-of-Scope vulnerabilities section below.

Please conduct all research and testing in our sandbox environment (e.g., https://manage-sandbox.gocardless.com).

There is currently no Sandbox environment for the Bank Account Data portal. As such, no automated scanning is to be conducted, and only manual testing is permitted on the following in-scope domains:

• https://bankaccountdata.gocardless.com
• https://auth0.gocardless.com
• https://ob.gocardless.com

Consult the documentation to find out how to use sandbox bank details for Bank Account Data testing purposes.

Other than the above exception, we ask that you do not conduct testing and research on our production environments:

• https://manage.gocardless.com (please use https://manage-sandbox.gocardless.com instead)
• https://api.gocardless.com (please use https://api-sandbox.gocardless.com instead)
• https://payer-details.gocardless.com (please use https://payer-details-sandbox.gocardless.com instead)
• https://oauth.gocardless.com (please use https://oauth-sandbox.gocardless.com instead)
• https://connect.gocardless.com (please use https://connect-sandbox.gocardless.com instead)
• https://pay.gocardless.com (please use https://pay-sandbox.gocardless.com instead)

However, if you feel that there may be an issue that can only be reproduced in the production environment, please seek our consent for further testing via the HackerOne platform.

Our publicly supported GitHub repositories (https://github.com/gocardless?q=&type=public&language=&sort=) are in scope where we have open-source projects that are explicitly supported by GoCardless and have a security policy file defined.

See the Program Guidelines->Rewards and Scope sections of our program for further details on the domains against which we accept reports and the maximum severity of findings on each domain. These include some of the internal services that we utilise.

Out of scope services and applications

Third-party Software-as-a-Service (SaaS) services and applications are out of scope, even if they are accessible under an in-scope domain. This would typically include services, such as Zendesk , Jira, or externally hosted forms. Please submit any findings related to such services and applications via the appropriate service provider's Vulnerability Disclosure program.

GitHub repositories under the GoCardless organisation that are forks, mirrors, or archived are out of scope.

Out of scope vulnerabilities

When reporting vulnerabilities to GoCardless, please consider (1) the attack scenario and exploitability, and (2) the security impact of the finding. The following issues are considered out of scope unless you can demonstrate an exploitation approach that does not require social engineering, physical breach, or nation-state resources:

• Clickjacking
• Unauthenticated logout/login CSRF; search request CSRF; CSRF on unauthenticated or otherwise non-sensitive pages
• Attacks requiring MITM or physical access to a user's device
• Previously known vulnerable libraries without a working Proof of Concept (PoC)
• Public zero-day vulnerabilities that have an official patch released for less than 30 days will be reviewed on a case-by-case basis
• Comma-Separated Values (CSV) injection
• Missing best practices in SSL/TLS configuration
• Missing best practices in Content Security Policy
• Missing cookie flags
• Missing security-specific HTTP headers
• CORS misconfiguration without demonstrating the impact
• Email best practices (invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities that only affect users of outdated or unpatched browsers and operating systems
• Minor technical information disclosure, such as software versions, service banners, or health check endpoints
• Rate-limiting issues that lead to spam
• Rate limiting bypass or brute-forcing of endpoints not related to authentication
• Content spoofing and text injection issues without a PoC that would not require direct modification of the page content
• User or email enumeration
• Merchant Dashboard read_only and read_write user access to some of the "developers" information and functionality.
• Privilege escalation between admin & read-write users on GC4X: these roles have identical permissions by design
• Public user registration on Jira service desk
• Hypothetical subdomain takeovers without supporting evidence
• Issues that are premised on an unlikely user interaction
• Open redirect - unless an additional security impact can be demonstrated
• Credentials leaked on third-party sites without demonstrating a high degree of certainty in their validity - for example, reports where credential pairs are appended to GoCardless URLs, especially if these URLs are not related to authenticated portions of applications or reference legacy API endpoints, will not be considered as demonstrating a high degree of certainty

We are no longer issuing rewards for reports of potential GoCardless credentials leaked on third-party sites. We use other tools to continuously monitor the threat landscape for leaked credentials and other business-critical information about GoCardless and our customers. Further to that, upon every login, users' passwords are checked against a database of compromised passwords. You can still report these cases, if you wish, but no bounty will be issued in return.

Safe Harbor

All activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.