PayPal Bug Bounty Program.
For Professional Researchers: Bug Bounty Program
Our team of dedicated security professionals works vigilantly to help keep customer information secure. We recognize the important role that security researchers and our user community play in also helping to keep PayPal and our customers secure. If you discover a site or product vulnerability please notify us using the guidelines below.
Please note that your participation in the Bug Bounty Program is voluntary and subject to the terms and conditions set forth on this page (“Program Terms”). By submitting a site or product vulnerability to PayPal, Inc. (“PayPal”) you acknowledge that you have read and agreed to these Program Terms.
These Program Terms supplement the terms of PayPal User Agreement, the PayPal Acceptable Use Policy, and any other agreement in which you have entered with PayPal (collectively “PayPal Agreements”). The terms of those PayPal Agreements will apply to your use of, and participation in, the Bug Bounty Program as if fully set forth herein. If there is any inconsistency exists between the terms of the PayPal Agreements and these Program Terms, these Program Terms will control, but only with regard to the Bug Bounty Program.
You can jump to particular sections of these Program Terms by using the following links :
Responsible Disclosure Policy
To encourage responsible disclosures, PayPal commits that, if we conclude, in our sole discretion, that a disclosure respects and meets all the guidelines of these Program Terms and the PayPal Agreements, PayPal will not bring a private action against you or refer a matter for public inquiry.
To participate in the Bug Bounty Program, you must have a verified PayPal account in good standing in order to register for the Bug Bounty Program and be eligible to receive Bounty Payments (described further below). Alternatively, if you do not have a PayPal account, you may elect to submit reports via email, but you won’t be eligible for a Bounty Payment. If you do not currently have a PayPal account, you can sign up for one here.
To be eligible for the Bug Bounty Program, you must not:
- Be a resident of, or make your Submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria);
- Be employed by PayPal, Inc. or its subsidiaries
- Be an immediate family member of a person employed by PayPal, Inc. or its subsidiaries or affiliates; or
- Be less than 18 years of age.
If PayPal discovers that you do not meet any of the criteria above, PayPal will remove you from the Bug Bounty Program and disqualify you from receiving any bounty payments. Any submissions you make to PayPal, whether via your Bug Bounty Program account or via email shall be considered “Submission(s)” for purposes of these Program Terms.
Bug Submission Requirements and Guidelines
If you are a security researcher who has discovered a site or product vulnerability on a qualifying domain and would like to participate in the Bug Bounty Program, you can send us a submission by logging into and participating in the Bug Bounty Program located at PayPal
In researching vulnerabilities on PayPal’s sites, you may not engage in testing that (i) results in a degradation of PayPal systems, (ii) results in you, or any third party, accessing, storing, sharing or destroying PayPal or customer data, or (iii) may impact PayPal customers, such as denial of service, social engineering or spam.
You may not publicly disclose your findings or the contents of your Submission in any way without PayPal’s prior written approval.
Failure to follow these guidelines will result in immediate disqualification from the Bug Bounty Program and ineligibility for receiving any bounty payments.
Ownership of Submissions
As between PayPal and you, as a condition of participation in the PayPal Bug Bounty Program, you hereby grant PayPal, its subsidiaries, affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to PayPal in connection therewith, for any purpose. You should not send us any Submission that you do not wish to license to us.
You hereby represent and warrant that the Submission is original to you and you own all right, title and interest in and to the Submission. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the Submission to PayPal. In no event shall PayPal be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials which are competitive with those set forth in the Submission irrespective of their similarity to the information in the Submission, so long as PayPal complies with the terms of participation stated herein.
Eligible Domains Policy
The following domains are included for the paypal.com family of companies:
The Bug Bounty Program is also valid on certain Partner Sites**, such as:
- www.paypal-__.com domains
- any PayPal-branded sites, including https://stories.paypal-corp.com and ppmts.custhelp.com
Please note that our partner sites (www.paypal-__.com) are mainly marketing based sites that are not part of the core PayPal customer domains (.paypal.com) and are managed by hosting vendor companies. They have variable timelines and are often decommissioned. A listing of these sites designated for deprecation will not be publically maintained due to frequent changes. When researching bugs on these sites, please keep this in mind as bug Submissions for sites on schedule for deprecation will not be honored.
Certain vulnerabilities are considered out-of-scope for the Bug Bounty Program. Those out-of-scope vulnerabilities include, but are not limited to:
- Vulnerabilities dependent upon social engineering techniques
- Denial of service
- Brute forcing
- Vulnerabilities in non-web applications
- Clickjacking on partner sites (i.e., www.paypal-__.com domains)
- Most vulnerabilities involving active content
- Most vulnerabilities within our sandbox, lab or staging environments.
- Outdated Browsers: vulnerabilities contingent upon outdated or unpatched browsers will not be honored, including Internet Explorer versions prior to version 8.
- Information disclosure of public and information that do not present risk to our PayPal customers or PayPal, including:
- Web server type disclosure
- Access to web server files or directories that do not contain internal, confidential or restricted data.
- Server error messages that do not contain internal, confidential or restricted data or avenues to obtain it
You may be eligible to receive a monetary reward, or “bounty,” if: (i) you are the first person to submit a site or product vulnerability; (ii) that vulnerability is determined to by a valid security issue by PayPal’s security team; and (iii) you have complied with all Program Terms.
Bounty payments, if any, will be determined by PayPal, in PayPal’s sole discretion. In no event shall PayPal be obligated to pay you a bounty for any Submission. All bounty payments shall be considered gratuitous.
In the event PayPal elects to pay you a bounty, PayPal may make a partial payment when the vulnerability is first verified by PayPal and then an additional payment once the vulnerability has been fixed. The format and timing of all bounty payments shall be determined in PayPal’s sole discretion.
All bounty payments must be made to a verified PayPal Account in good standing. If you do not have a verified PayPal Account in good standing at the time of payment, you will not be eligible to receive a bounty (except in extraordinary circumstances agreed to by PayPal via email from the Bug Bounty Program team).
All bounty payments will be made in United States dollars (USD). You will be responsible for any tax implications related to bounty payments you receive, as determined by the laws of your jurisdiction of residence or citizenship.
|Vulnerability||.paypal.com and PayPal subsidiary websites||Partner sites (www.paypal-__.com)|
|Remote Code Execution||Up to $10,000||$1,500|
|SQL Injection||Up to $5,000||$1,000|
|Authentication Bypass||Up to $3,000||$1,000|
|Cross-Site Scripting (XSS)||$750||$100|
|Information Disclosure of Sensitive Data||$750||$100|
|Cross-Site Request Forgery (CSRF)#||$750||0|
Payout Ranges for paypal.com domains
Estimated payout ranges+ # (in USD) for in-scope vulnerabilities are as listed below. These payout rates apply to domains included under the paypal.com category of the Eligible Domains Policy..
+Payout ranges are based on the classification and sensitivity of the data impacted, ease of exploit and overall risk to PayPal customers, PayPal brand and determined to be a valid security issue by PayPal’s security engineers. Common sensitive data elements include customer social security number, credit card number, card verification code, bank account number, login credentials and passwords. PayPal may pay beyond the range at times when bugs are found to have significant risk.
#Please note that Clickjacking and CSRF vulnerabilities are only reviewed for sites and pages where the ease of exploit and risk to PayPal is significant. Also, please note that, while "Logout CSRF" is a well-acknowledged issue, there are other techniques (like "cookie forcing" and "cookie bombardment") that can make it futile to defend against this attack. Also, PayPal web sessions are relatively short lived and hence, the PayPal will not consider reports of the ability to log out users from PayPal as qualifying for a bounty.
Wall of Fame
In the event (i) you breach any of these Program Terms or the terms and conditions of the PayPal Agreements; or (ii) PayPal determines, in its sole discretion that your continued participation in the Bug Bounty Program could adversely impact PayPal (including, but not limited to, presenting any threat to PayPal’s systems, security, finances and/or reputation) PayPal may immediately terminate your participation in the Bug Bounty Program and disqualify you from receiving any bounty payments.
Any information you receive or collect about PayPal or any PayPal user through the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the PayPal sites, without PayPal’s prior written consent..
In addition to any indemnification obligations you may have under the PayPal Agreements, you agree to defend, indemnify and hold PayPal, its subsidiaries, affiliates and the officers, directors, agents, joint ventures, employees and suppliers of PayPal, its subsidiaries, or our affiliates, harmless from any claim or demand (including attorneys’ fees) made or incurred by any third party due to or arising out of your Submissions, your breach of these Program Terms and/or your improper use of the Bug Bounty Program.
Changes to Program Terms
The Bug Bounty Program, including its policies, is subject to change or cancellation by PayPal at any time, without notice. As such, PayPal may amend these Program Terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the Bug Bounty Program after PayPal posts any such changes, you accept the Program Terms, as modified.
Frequently Asked Questions
- Bugs that present negligible to no impact to our customers or company. Common examples include:
- Error messages void of sensitive data
- Web server type disclosure
- Clickjacking on pages without sensitive content, authentication, or state changing actions
- Self-XSS scenarios that would require additional user interaction, including the user manually inputting the XSS payload.
- Most vulnerabilities within our sandbox, lab or staging environments. Domains utilized by customers take precedence
- Please be aware of all program criteria and scope, as well as the Program Terms.
- Do not engage in testing that can impact our customers, like denial of service, social engineering or spam.
- When utilizing personal or test accounts, they are subject to our fraud controls and filters and may act upon irregular activity.
- A proof of concept consisting of detailed steps or screen shots is helpful in facilitation of review and eventual fix.
Due to the separation of eBay and PayPal, we want to inform you of several changes within our bug submission portal.
- PayPal is creating a new Bug Bounty portal to file PayPal vulnerabilities. This will require you to register and login using a new or existing PayPal accounts' login credentials. You will no longer be able to use your eBay Bug Bounty account to file new vulnerabilities. Until the new PayPal Bug Bounty portal is deployed live, please send an email to email@example.com and we will send instructions on how to securely send your vulnerability to us.
- Issues filed through the eBay Bug Bounty portal will be temporarily unavailable for your review. We want to assure you that none of your account history will be lost and you will continue to receive email notifications for any status changes, including payouts, on previously filed bugs. We will be reaching out to you with instructions on how to merge your new account details with your previously-submitted information. We expect this merging process to be completed by end of September and will keep you informed if anything changes. If you need additional information concerning any open issues filed through the old portal, please contact us at firstname.lastname@example.org