What Is Paypal Bug Bounty Program?

Please observe that your participation in the Bug Bounty Program is voluntary and is a problem with the terms and conditions set out on this web page (“Program Terms”). PayPal, Inc. By filing a Site or Product Vulnerability to (“PayPal”) you will know that you have examined and agreed to those Program Terms.


These Program Terms are supplemented by using the PayPal User Agreement, the PayPal Acceptable Use Policy, and any other agreements you have entered into with PayPal (collectively the “PayPal Agreement”). The terms of those PayPal agreements will observe your use and participation in the Bug Bounty Program as set forth herein in full. If any inconsistency exists among the terms of the PayPal Agreements and those Program Terms, these Program Terms shall govern, however, best when it comes to the Bug Bounty Program.

Click on this queryplex.com


In order to encourage responsible disclosure, PayPal commits that, if we conclude, in our sole discretion, that a disclosure respects and meets all tips of these Program Terms and the PayPal Agreement, PayPal will not hold any private fees towards you. Shall no longer take motion or refer any be counted. Public inquiry.


As part of your research, do now not alter any documents or facts, along with permissions, and do now not intentionally view or access any information past what’s required to prove the vulnerability.

The Following Paypal Brands Are In Scope:




Braintree charge

Swift Financial / LoanBuilder


Brands and acquisitions not indexed above are not inside the scope.

PayPal will do its satisfactory to adhere to the following reaction dreams:

Response Type Business Days

Resolution time depends on severity and complexity

You should know more about the disadvantages of paypal

Eligibility Necessities

To be eligible for the Bug Bounty application, you need to know not:

be a resident of, or post to, a country towards which the United States has issued export sanctions or different exchange sanctions (eg, Cuba, Iran, North Korea, Sudan, and Syria);

Violate any countrywide, state, or local law or law;

PayPal, Inc. Or are hired with the aid of its subsidiaries;

PayPal, Inc. Or come to be an immediate family member of the individual hired through his subsidiaries or associates; either


be under 14 years of age. If you are at least 14 years of age but are considered a minor at your location of residence, you have to gain the permission of your discern or felony mother or father earlier than you could take part within the software.

If PayPal determines that you meet any of the standards above, PayPal will put off you from the Bug Bounty Program and disqualify you from receiving any bounty bills.

Disclosure Guidelines

By presenting a Submission or agreeing to the Program Terms, you compromise that you could now not publicly reveal your findings or the content material of your Submission to any 1/3 birthday party in any way without PayPal’s previous written approval.

Failure to comply with the phrases of the program will bring about instant disqualification from the Bug Bounty Program and ineligibility to get hold of any bounty payments.

Scope for net packages

in-scope vulnerabilities


Admitted, in-scope vulnerabilities consist of, however, are not limited to:


Log4Shell RCEs, Data Exfil, and WAF Bypass will be considered high or essential depending on the severity

Ping-again in which you may mission the surroundings, hostname, IP cope with, or date or time is assigned a medium popularity

The record might be closed as informative if a reproducible proof of idea is not covered.

Disclosure of touchy or individually identifiable records

Cross-Site Scripting (XSS)

Cross-web page request forgery (CSRF) for sensitive features in a privileged context

Server-side or Remote Code Execution (RCE)

Authentication or authorization faults, including insecure direct object references and authentication bypass

Injection vulnerabilities, inclusive of SQL and XML injection

directory traversal

Critical protection misconfiguration with verifiable vulnerability

Exposed credentials disclosed by using PayPal or its personnel that pose a valid threat to property inside a scope

Out-Of-Scope Vulnerabilities

Some vulnerabilities are considered outside the scope of the computer virus bounty program. Vulnerabilities out of doors those scope consist of, however, aren’t restricted to:

Any physical assault in opposition to PayPal property or data centers

Reports that involve a secondary consumer account wherein a current business courting is being leveraged and the impact is restrained to the parent account only

Username enumeration on clients dealing with systems (ie the use of server responses to decide if an account exists)

Scanner output or scanner-generated reviews, inclusive of any automated or lively take advantage of tools

Attacks regarding fee fraud, robbery, or malicious merchant debts

man-in-the-middle attack

Vulnerabilities regarding stolen credentials or bodily get admission to to the device

Social engineering assaults, such as the ones focused on or impersonating internal employees in any way (which include customer service chat functions, social media, non-public domain names, and many others.)

Vulnerabilities for which existing, documented controls exist (eg https://developer.P


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses cookies to offer you a better browsing experience. By browsing this website, you agree to our use of cookies.