Details

Vulnerability Disclosure Program

Paystack recognizes that the security community is a multiplier in our quest to provide a safe and secure experience for our customers and stakeholders. To that end, we always welcome the contributions of security researchers and strive to provide as good an experience as possible when researchers seek to disclose vulnerabilities.

This vulnerability program positions us to accept reports of bugs and vulnerabilities that provide a potential attacker with the ability to compromise the integrity, availability or confidentiality of Paystack’s products, services or information technology infrastructure.

By submitting a security bug or vulnerability to Paystack via HackerOne, you acknowledge that you have read and agreed to the Program Terms and Conditions set forth below. By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Paystack's prior written approval.

Program Terms and Conditions

Your participation in our program is voluntary and subject to the below terms and conditions:

You need to show that you could exploit a vulnerability, but you must not actually exploit it. You must not: access, modify, copy, download, delete, compromise or otherwise misuse others’ data; access non-public information without authorization; degrade, interrupt or deny services to our users; and/or incur loss of funds that are not your own.
You must not leverage the existence of a vulnerability or access to sensitive or confidential data to make threats, extortionate demands, or ransom requests.
Your testing must not violate any applicable laws or regulations.
You are prohibited from participating in the program if you are a resident of any U.S. embargoed jurisdiction, including but not limited to Iran, North Korea, Cuba, the Crimea region, and Syria; or if you are on the U.S. Treasury Department's list of Specially Designated Nationals or the U.S. Department of Commerce Denied Person’s List or Entity List. By participating in the program, you represent and warrant that you are not located in any such country or on any such list.
By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Paystack's prior written approval.
You must be 18 years of age or older.
You must not be employed by Paystack or any of its affiliates. You must also not be an immediate family member of someone employed by Paystack or any of its affiliates.
By reporting a bug, you grant Paystack and its affiliates a perpetual, irrevocable, worldwide, royalty-free license to use, copy, adapt, develop, create derivative work from, or share your submission for any purpose. You waive all claims, including breach of contract or implied-in-fact contract, arising out of your submission.
HackerOne may share with Paystack the personal information that you provide to HackerOne, in order to allow Paystack run this program more effectively.
Only the first, responsibly-disclosed submission of a vulnerability instance will be marked as valid, any subsequent reports will not be eligible for our program.

Ineligible Vulnerabilities

Paystack does not consider the following to be eligible vulnerabilities:

Denial of service attacks
RBAC and IDOR bypasses for all roles tied to a merchant or user
Social engineering of Paystack employees, contractors, vendors, or service providers (e.g. phishing, vishing, smishing, et al.)
Social engineering of customers or merchants
Account squatting by preventing users from registering with certain email addresses
Attacks requiring MITM or physical access to a user's device
Clickjacking on pages with no sensitive actions
Comma Separated Values (CSV) injection without demonstrating a vulnerability
Malicious file upload with no further exploit proof
Reports of spam
Self-XSS
Content/text spoofing issues without showing an attack vector/without being able to modify HTML/CSS
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Unconfirmed reports from automated vulnerability scanners
Disclosure of server or software version numbers
Hypothetical subdomain takeovers without supporting evidence
Issues that are premised on unlikely user interaction
Issues related to software or protocols not under Paystack control
Missing Content Security Policy or best practices
Session invalidation or other improved-security related to account management when a credential is already known (e.g., password reset link does not immediately expire, adding MFA does not expire other sessions, etc.)
Password complexity or account recovery policies
Problems related to widely publicized CVE's
Disclosure of private IP addresses in HTTP responses
HTTP OPTIONS/TRACE/PUT methods enabled
Descriptive error messages (e.g., Stack Traces, application, or server errors) without proof of vulnerability or risk
HTTP 404 codes/pages or other HTTP non-200 codes/pages
Perceived security weaknesses without concrete evidence of the ability to compromise a user (e.g., missing rate limits, missing headers, etc.)
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
Reports exploiting the behavior of, or vulnerabilities in, outdated browsers
Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
User/merchant enumeration
Previously known vulnerable libraries without a working Proof-of-Concept
Best practice reports without a valid exploit (e.g. use of "weak" TLS ciphers)
Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis
Vulnerabilities found outside of the scoped domains

Vulnerability Disclosure Program

Program Terms and Conditions

Your participation in our program is voluntary and subject to the below terms and conditions:

You need to show that you could exploit a vulnerability, but you must not actually exploit it. You must not: access, modify, copy, download, delete, compromise or otherwise misuse others’ data; access non-public information without authorization; degrade, interrupt or deny services to our users; and/or incur loss of funds that are not your own.
You must not leverage the existence of a vulnerability or access to sensitive or confidential data to make threats, extortionate demands, or ransom requests.
Your testing must not violate any applicable laws or regulations.
You are prohibited from participating in the program if you are a resident of any U.S. embargoed jurisdiction, including but not limited to Iran, North Korea, Cuba, the Crimea region, and Syria; or if you are on the U.S. Treasury Department's list of Specially Designated Nationals or the U.S. Department of Commerce Denied Person’s List or Entity List. By participating in the program, you represent and warrant that you are not located in any such country or on any such list.
By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Paystack's prior written approval.
You must be 18 years of age or older.
You must not be employed by Paystack or any of its affiliates. You must also not be an immediate family member of someone employed by Paystack or any of its affiliates.
By reporting a bug, you grant Paystack and its affiliates a perpetual, irrevocable, worldwide, royalty-free license to use, copy, adapt, develop, create derivative work from, or share your submission for any purpose. You waive all claims, including breach of contract or implied-in-fact contract, arising out of your submission.
HackerOne may share with Paystack the personal information that you provide to HackerOne, in order to allow Paystack run this program more effectively.
Only the first, responsibly-disclosed submission of a vulnerability instance will be marked as valid, any subsequent reports will not be eligible for our program.

Vulnerability Disclosure Program

Program Terms and Conditions

Your participation in our program is voluntary and subject to the below terms and conditions:

You need to show that you could exploit a vulnerability, but you must not actually exploit it. You must not: access, modify, copy, download, delete, compromise or otherwise misuse others’ data; access non-public information without authorization; degrade, interrupt or deny services to our users; and/or incur loss of funds that are not your own.

You must not leverage the existence of a vulnerability or access to sensitive or confidential data to make threats, extortionate demands, or ransom requests.

Your testing must not violate any applicable laws or regulations.

You are prohibited from participating in the program if you are a resident of any U.S. embargoed jurisdiction, including but not limited to Iran, North Korea, Cuba, the Crimea region, and Syria; or if you are on the U.S. Treasury Department's list of Specially Designated Nationals or the U.S. Department of Commerce Denied Person’s List or Entity List. By participating in the program, you represent and warrant that you are not located in any such country or on any such list.

By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Paystack's prior written approval.

You must be 18 years of age or older.

You must not be employed by Paystack or any of its affiliates. You must also not be an immediate family member of someone employed by Paystack or any of its affiliates.

By reporting a bug, you grant Paystack and its affiliates a perpetual, irrevocable, worldwide, royalty-free license to use, copy, adapt, develop, create derivative work from, or share your submission for any purpose. You waive all claims, including breach of contract or implied-in-fact contract, arising out of your submission.

HackerOne may share with Paystack the personal information that you provide to HackerOne, in order to allow Paystack run this program more effectively.

Only the first, responsibly-disclosed submission of a vulnerability instance will be marked as valid, any subsequent reports will not be eligible for our program.

Ineligible Vulnerabilities

Paystack does not consider the following to be eligible vulnerabilities:

Denial of service attacks

RBAC and IDOR bypasses for all roles tied to a merchant or user

Social engineering of Paystack employees, contractors, vendors, or service providers (e.g. phishing, vishing, smishing, et al.)

Social engineering of customers or merchants

Account squatting by preventing users from registering with certain email addresses

Attacks requiring MITM or physical access to a user's device

Clickjacking on pages with no sensitive actions

Comma Separated Values (CSV) injection without demonstrating a vulnerability

Malicious file upload with no further exploit proof

Reports of spam

Self-XSS

Content/text spoofing issues without showing an attack vector/without being able to modify HTML/CSS

Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

Unconfirmed reports from automated vulnerability scanners

Disclosure of server or software version numbers

Hypothetical subdomain takeovers without supporting evidence

Issues that are premised on unlikely user interaction

Issues related to software or protocols not under Paystack control

Missing Content Security Policy or best practices

Session invalidation or other improved-security related to account management when a credential is already known (e.g., password reset link does not immediately expire, adding MFA does not expire other sessions, etc.)

Password complexity or account recovery policies

Problems related to widely publicized CVE's

Disclosure of private IP addresses in HTTP responses

HTTP OPTIONS/TRACE/PUT methods enabled

Descriptive error messages (e.g., Stack Traces, application, or server errors) without proof of vulnerability or risk

HTTP 404 codes/pages or other HTTP non-200 codes/pages

Perceived security weaknesses without concrete evidence of the ability to compromise a user (e.g., missing rate limits, missing headers, etc.)

Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality

Reports exploiting the behavior of, or vulnerabilities in, outdated browsers

Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

User/merchant enumeration

Previously known vulnerable libraries without a working Proof-of-Concept

Best practice reports without a valid exploit (e.g. use of "weak" TLS ciphers)

Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis

Vulnerabilities found outside of the scoped domains

Vulnerability Disclosure Program

Program Terms and Conditions

Your participation in our program is voluntary and subject to the below terms and conditions:

You must not leverage the existence of a vulnerability or access to sensitive or confidential data to make threats, extortionate demands, or ransom requests.

Your testing must not violate any applicable laws or regulations.

By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Paystack's prior written approval.

You must be 18 years of age or older.

You must not be employed by Paystack or any of its affiliates. You must also not be an immediate family member of someone employed by Paystack or any of its affiliates.

HackerOne may share with Paystack the personal information that you provide to HackerOne, in order to allow Paystack run this program more effectively.

Only the first, responsibly-disclosed submission of a vulnerability instance will be marked as valid, any subsequent reports will not be eligible for our program.

Paystack Vulnerability Disclosure

Paystack Vulnerability Disclosure

Details

Vulnerability Disclosure Program

Program Terms and Conditions

Ineligible Vulnerabilities

Vulnerability Disclosure Program

Program Terms and Conditions

Vulnerability Disclosure Program

Program Terms and Conditions

Ineligible Vulnerabilities

Vulnerability Disclosure Program

Program Terms and Conditions