M-Pesa Africa Limited
Bounty Range
$250 - $3,000
external program
M-Pesa Africa Limited
Bounty Range
$250 - $3,000
external program
If you believe you have found a security vulnerability on any of our Mpesa products or services, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.
Please be aware that we do not permit any reports to be publicly disclosed.
• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. • Submit one vulnerability per the report, unless you need to chain vulnerabilities to provide impact. • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. • Social engineering (e.g., phishing, vishing, smishing) is prohibited. • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. • Only interact with accounts you own or with explicit permission of the account holder. • Any tests done that violate the above conditions will not be eligible for a bounty reward. • You are free to report a vulnerability for any of our assets that are out of scope, but they may not be eligible for a bounty. However, we will review them on a case-by-case basis. • Employees and Contractors (or former employees/contractors who have not completed 3 years after leaving the organization) of Safaricom, Vodacom, and Vodafone Markets are not eligible to participate in the bug bounty program. However, they can disclose the vulnerabilities to [email protected].
Rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). These are general guidelines, and reward decisions are up to the discretion of M-Pesa Africa Limited.
| Severity | Average Bounty |
|---|---|
| Low | $250 |
| Medium | $500 |
| High | $1,000 |
| Critical | $3,000 |
• Exported Components Without Proper Permissions • Sensitive Information in Memory Dumps in Cleartext • Insecure Data Storage • No Session Timeout Mechanism • Lack of Root/Jailbreak Detection or Protection • SSL Certificate Pinning Issues • Ability to Copy Sensitive Information to Clipboard/Pasteboard • Insecure WebView Implementation (e.g., JavaScript Enabled) • Excessive Application Permissions • Sensitive Information Exposed in UI Snapshots • Lack of Code Obfuscation • Mini Applications or Embedded Applets
When reporting vulnerabilities, please consider (1) the attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:
• Any activity that could lead to the disruption of our service e.g., denial of service attacks. • Clickjacking / UI Redressing attacks on pages with no sensitive actions. • Unauthenticated/logout/login CSRF. • 0-day vulnerabilities less than 30/60/90 days from patch release are ineligible for bounty. • Attacks requiring MITM or physical access to a user's device. • Previously known vulnerable libraries without a working Proof of Concept. • Comma Separated Values (CSV) injection without demonstrating a vulnerability. • Missing best practices in SSL/TLS configuration. • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS. • Issues in third-party services/platforms that are beyond our control. • Vulnerabilities as reported by automated tools without additional analysis as to how they are an issue. If an IP address is discovered to persistently and constantly use automated tools, that IP address shall be blocked. • All brute-force attacks. • Self-XSS and XSS that affects only outdated browsers. • Host header and banner-grabbing issues. • Missing HTTP security headers and cookie flags on insensitive cookies. • Open redirects - unless they can be used for actively stealing tokens. • User enumeration such as User email, User ID, etc. • Phishing / Spam (including issues related to SPF/DKIM/DMARC). • Missing security best practices (e.g. account lockout, captcha..). • Session fixation and session timeout. • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end-user interactions to be exploited. • Any bugs or issues related to third parties or vendors e.g. Cisco, Oracle, Microsoft, etc... • Subdomain Takeover. • Firebase API exposure. • Google map API exposure. • Self-XSS involving a payload in headers or in the body of the request. • Vulnerabilities that are disclosed to any party other than MPESA, including vulnerability brokers, will not qualify for the reward. This includes both public disclosure and limited private release.
We encourage security researchers to responsibly disclose any discovered credentials that could lead to unauthorized access or exposure of sensitive data.
Reports will be accepted if the leaked credentials meet any of the following criteria:
• Credentials granting administrative or high-privilege access to:
Reports involving the following types of credential exposure are generally not eligible:
• Personal user credentials for non-critical systems (e.g., learning platforms, internal blogs, or corporate social media) • Credentials that are external to M-Pesa's infrastructure or domains (e.g., personal Gmail accounts used to sign in to M-Pesa-related services) • Leaked credentials that are effectively protected by multi-factor authentication (MFA) and cannot be misused • Individual customer account credentials
(Note: While not in scope for bounty, we encourage you to report any such findings so we can notify and advise the affected customer appropriately.)
• Average time to first response: 6 hours • Average time to triage: 1 week, 12 hours • Average time to bounty: 16 hours • Average time from submission to bounty: 1 week, 1 day • Average time to resolution: 1 year, 6 days