Details

The Stripe Bug Bounty Program Terms and Conditions ("Terms'') governs your participation in the Stripe Bug Bounty Program ("Program"). These Terms are between you and Stripe ("Stripe," "us," or "we"). By performing vulnerability research against Stripe’s infrastructure, submitting any vulnerabilities to Stripe, or otherwise participating in the Program in any manner, you accept these Terms.

##Program Eligibility

Participants must be at least 18 years old.
Stripe employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.
You are prohibited from participating in the program if you are a resident of any U.S. embargoed jurisdiction, including, but not limited to, Iran, North Korea, Cuba, the Crimea region, and Syria; or if you are in the U.S. Treasury Department's list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List. By participating in the program, you represent and warrant that you are not located in any such country or on any such list.

##Rules of Engagement Your participation in our program is voluntary and subject to the following:

Your submission must include a working Proof of Concept to be considered for a reward.
Avoid harm to others’ data and privacy. Specifically:
- If you encounter any personal data or sensitive information in the course of your research, stop and notify our team immediately so we can investigate. Please report to us what data was accessed and delete the data. Do not save, copy, download, transfer, disclose, or otherwise use this data. Continuing to access others’ data or otherwise failing to adhere to this requirement will disqualify you from participating in the Program.
- If your research is designed to identify and demonstrate a vulnerability that could allow unauthorized access to personal data or sensitive information, make sure to take measures to minimize your access to or usage of such data to what is absolutely necessary to achieve those purposes (i.e., identification and demonstration of a vulnerability that could allow unauthorized access to personal data or sensitive information). For example, if you are injecting code into Stripe’s environment to test whether you could exfiltrate data from a Stripe database, limit the potential exfiltration to the first three rows and five columns of the table rather than the entire database.
- If, even after taking measures to minimize access to personal data or sensitive information, you ultimately end up encountering such data in the course of your research, follow the mitigation measures described above.
Do not leverage the existence of a vulnerability or access to personal data or sensitive information to make threats or extortionate demands. Do not not degrade, interrupt, or deny services to our users or take any actions that can affect the availability or integrity of Stripe’s systems and data (e.g., modifying or deleting data). If you notice service degradation or interruption, stop your research and notify us immediately.
Do not incur loss of funds that are not your own.
If you are performing research, use your own accounts to do so. Do not interact with other Stripe users’ accounts. See the “Creating Accounts for Vulnerability Research” section below for more detail.
By reporting a vulnerability, you grant Stripe and its affiliates a perpetual, irrevocable, worldwide, royalty-free license to use, copy, adapt, develop, and create derivative work from, or share your submission for any purpose. You waive all claims, including breach of contract or implied-in-fact contract, arising out of your submission.
By reporting a vulnerability, you also agree to allow HackerOne to share with Stripe information relating to your tax forms so that Stripe can perform compliance checks.
You will be responsible for any tax implications related to any bounty payment you receive, as determined by the laws of your jurisdiction.
Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.
We consider only the earliest, responsibly-disclosed submission of a vulnerability instance with enough actionable information to identify the issue for a reward. All other reports for a given issue will not be eligible for a reward under our Program.
Your research must not violate any applicable laws or regulations.

##Submission Review Process After a submission is sent to Stripe in accordance with the Rules of Engagement described above, Stripe engineers will review the submission and validate its eligibility for a reward. The review time could vary depending on the complexity and completeness of your submission, as well as on the number of submissions we receive.

Submission severity is evaluated based on Stripe specific threat models, which factors in Stripe's internal usage of the application or domain in question.

As explained in the Rules of Engagement, Stripe retains sole discretion in determining which submissions are qualified for a reward. If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first eligible submission. If a duplicate report provides new information that was previously unknown to Stripe, we may award a differential to the person submitting the duplicate report. Stripe will also reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both researchers.

##Other Notes on Submission Eligibility

We accept and reward submissions for valid cross-site scripting vulnerabilities even if they are not accompanied by a bypass of our content security policy. Cross-site scripting vulnerabilities without a content security bypass will be assessed at a lower severity level than those with a bypass.
- If submitting an XSS vulnerability without a CSP bypass, please demonstrate impact by manually disabling the CSP in your web browser. This can be done via browser extensions or Burp/proxy match-and-replace rules.

As a reminder, you must use your own accounts to conduct any research and not interact with other Stripe users’ accounts. For further information, please refer to the “Rules of Engagement” section of our policy.

##Creating Accounts for Vulnerability Research You must create your own account using a HackerOne email address ([email protected]) to help us track security research activity. When opening your own merchant account, please add “bug-bounty” to the end of the merchant name. In addition, inject an ‘X-Bug-Bounty: username’ header, where possible.

##Disclosure By participating in this program, you agree not to publicly or privately disclose the contents of your submission, your findings, your communications with Stripe related to your participation in the Program, or any facts you have learned about Stripe in the course of your participation in the Program to any third party without Stripe’s prior written approval. There are no exceptions.

##Researcher Privacy To protect your privacy, we will not, unless served with legal process or to address a violation of this policy:

Share your personally identifiable information with third parties
Share your research without your permission
Share your participation without your permission

##Accountability Stripe reserves the right to disqualify you from participating in the Program if you violate the Rules of Engagement or other rules specified in this program policy, including the rules about disclosure.

##Changes to the Terms We may change the Terms at any time. Participating in the Program after the changes become effective means you agree to the new Terms. If you don't agree to the Terms, you must not participate in the Program.